From 74ff95034fa6e579aa5d3f2214125a6d2a0ab18f Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Sat, 4 Apr 2026 13:58:04 +0200
Subject: [PATCH] Fix allowlist-check to always use latest
 approved_patterns.yml from main

When projects pin the allowlist-check action to a specific commit hash,
the action was reading the approved_patterns.yml bundled at that commit.
This meant newly approved actions/versions added to the allowlist after
that commit would not be recognized, causing false-positive failures
for projects that had not yet bumped their pin.

Now the action fetches approved_patterns.yml from the main branch at
runtime via curl, so the check always uses the most up-to-date allowlist
regardless of which version of the action the caller has pinned.

Generated-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 allowlist-check/action.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/allowlist-check/action.yml b/allowlist-check/action.yml
index 2a6213ac..10ca0ca2 100644
--- a/allowlist-check/action.yml
+++ b/allowlist-check/action.yml
@@ -34,8 +34,14 @@ runs:
     - name: Install ruyaml
       shell: bash
       run: pip install ruyaml
+    - name: Fetch latest approved_patterns.yml from main
+      shell: bash
+      run: |
+        curl -sSfL \
+          "https://raw.githubusercontent.com/apache/infrastructure-actions/main/approved_patterns.yml" \
+          -o "${{ runner.temp }}/approved_patterns.yml"
     - name: Verify all action refs are allowlisted
       shell: bash
-      run: python3 "${{ github.action_path }}/check_asf_allowlist.py" "${{ github.action_path }}/../approved_patterns.yml"
+      run: python3 "${{ github.action_path }}/check_asf_allowlist.py" "${{ runner.temp }}/approved_patterns.yml"
       env:
         GITHUB_YAML_GLOB: ${{ inputs.scan-glob }}