apache · snazy · Nov 7, 2025 · Apr 18, 2026 · Apr 18, 2026 · Jun 2, 2026
@@ -0,0 +1,61 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: Check action tags
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/check_action_tags.yml"
+      - ".github/workflows/update.yml"
+      - ".github/actions/for-dependabot-triggered-reviews/action.yml"
+      - "actions.yml"
+      - "approved_patterns.yml"
+      - "gateway/**"
+  pull_request:
+    paths:
+      - ".github/workflows/check_action_tags.yml"
+      - ".github/workflows/update.yml"
+      - ".github/actions/for-dependabot-triggered-reviews/action.yml"
+      - "actions.yml"
+      - "approved_patterns.yml"
+      - "gateway/**"
+
+permissions:
+  contents: read
+
+# We want workflows on main to run in order to avoid losing data through race conditions
+concurrency: "${{ github.ref }}-${{ github.workflow }}"
+
+jobs:
+  check_action_tags:
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - run: pip install ruyaml 
+
+      - name: Update actions.yml and check action tags
+        # This step is similar to the one in update_actions.yml but also verifies the actions' tags
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: python gateway/run_action_tags.py
@@ -273,8 +273,9 @@ Two workflows in `.github/workflows/` run `verify-action-build` on PRs that touc
 
 - **`verify` job in `verify_dependabot_action.yml`** — triggers on Dependabot PRs that modify `.github/actions/for-dependabot-triggered-reviews/action.yml`. Extracts the action reference from the PR, rebuilds the compiled JavaScript in Docker, and compares it against the published version.
 - **`verify` job in `verify_manual_action.yml`** — triggers on human-authored PRs that modify `actions.yml` or `approved_patterns.yml` (i.e. manual allow-list additions / version bumps). Dependabot-authored PRs are skipped, since they are already covered by the workflow above.
+- **`check_action_tags` job in `check_action_tags.yml`** — triggers when `actions.yml`, `approved_patterns.yml`, the generated Dependabot composite action, the update workflow, or gateway verification code changes. It verifies that configured action SHAs exist and, when a `tag` is recorded, that the SHA is reachable from that Git tag or branch.
 
-Both workflows use a regular `pull_request` trigger with read-only permissions and no PR comments — pass/fail is surfaced through the status check. Neither workflow auto-approves or merges; a human reviewer must still approve.
+These workflows use regular `pull_request` triggers with read-only permissions and no PR comments — pass/fail is surfaced through the status check. They do not auto-approve or merge; a human reviewer must still approve.
 
 The script exits with code **1** (failure) when something is unexpectedly broken — for example, the action cannot be compiled, the rebuilt JavaScript is invalid, or required tools are missing. In all other cases it exits with code **0** and produces reviewable diffs: a large diff does not by itself cause an error (e.g. major version bumps will naturally have big diffs). It is always up to a human reviewer to inspect the output, assess the changes, and decide whether the update is safe to approve.
 

@@ -923,17 +923,23 @@ sbt/setup-sbt:
   af116cce31c00823d3903ce687f9cda3a4f19f1b:
     tag: v1.2.1
 scacap/action-surefire-report:
+  # GH API requests from GH hosted runners fail with 403 and the following error message:
+  # 'Although you appear to have the correct authorization credentials, the `ScaCap` organization has an IP allow list enabled, and your IP address is not permitted to access this resource.'
   '*':
     expires_at: 2026-08-01
+    ignore_gh_api_errors: true
   5609ce4db72c09db044803b344a8968fd1f315da:
     tag: v1.9.1
     expires_at: 2026-07-17
+    ignore_gh_api_errors: true
   fa13579fdd93ed8fc7e717a25eceedcfcbc39dda:
     tag: v1.10.0
     expires_at: 2026-07-31
+    ignore_gh_api_errors: true
   3dacff26879cd2a7f2160d101254032a3707fe6f:
     expires_at: 2026-08-01
     tag: v1.12.0
+    ignore_gh_api_errors: true
 scalacenter/sbt-dependency-submission:
   f43202114d7522a4b233e052f82c2eea8d658134:
     tag: v3.2.1