From f9826c1b8911dfb23399f9d180642caeccfc182c Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Mon, 1 Jun 2026 16:32:53 +0200 Subject: [PATCH] Allowlist carabiner v1.2.0 transitive ampel-bootstrap + download-and-verify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hourly "Check for transitive failures in current latest actions" workflow has been failing on every scheduled run since the carabiner v1.2.0 bump. `ampel/verify@v1.2.0` (e0e3b814) transitively resolves `install/ampel-bootstrap` and `install/download-and-verify` at the same v1.2.0 monorepo commit (e0e3b814), but only three of the five carabiner sub-actions had that SHA allowlisted — these two were missed in the v1.2.0 sync, so the run is blocked with "is not allowed in apache/infrastructure-actions". Add e0e3b814 to both sub-action blocks in actions.yml as allowlisted-but- expiring transitive entries (the existing 9db1a064 stays the live, dependabot-tracked ref, so the composite is unchanged) and regenerate approved_patterns.yml via the gateway sync. Generated-by: Claude Opus 4.8 (1M context) --- actions.yml | 10 ++++++++++ approved_patterns.yml | 2 ++ 2 files changed, 12 insertions(+) diff --git a/actions.yml b/actions.yml index f23ac4b97..06aeecf76 100644 --- a/actions.yml +++ b/actions.yml @@ -186,6 +186,11 @@ carabiner-dev/actions/install/ampel-bootstrap: 0a075bb75a68646d05f99c85cbbf2be40dd8e442: expires_at: 2026-08-16 9db1a064ca5691ef6f5d983031739ca287de0968: {} + # transitive dep pulled by ampel/verify @ v1.2.0 (e0e3b814); allowlisted + # but not dependabot-tracked (9db1a064 above stays the live ref). + e0e3b8149dafed833431095bc148d50e7eade4e8: + tag: v1.2.0 + expires_at: 2026-08-16 carabiner-dev/actions/install/bnd: 2a11d59a135c5e291f305f249a92ad7903e3ee0f: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 @@ -202,6 +207,11 @@ carabiner-dev/actions/install/download-and-verify: 6022a065d6420de5d86333ecfb2b25c57f84b699: expires_at: 2026-08-16 9db1a064ca5691ef6f5d983031739ca287de0968: {} + # transitive dep pulled by ampel/verify @ v1.2.0 (e0e3b814); allowlisted + # but not dependabot-tracked (9db1a064 above stays the live ref). + e0e3b8149dafed833431095bc148d50e7eade4e8: + tag: v1.2.0 + expires_at: 2026-08-16 carloscastrojumo/github-cherry-pick-action: 503773289f4a459069c832dc628826685b75b4b3: tag: v1.0.10 diff --git a/approved_patterns.yml b/approved_patterns.yml index a1f5fc953..f336e33cb 100644 --- a/approved_patterns.yml +++ b/approved_patterns.yml @@ -73,11 +73,13 @@ - carabiner-dev/actions/install/ampel@e0e3b8149dafed833431095bc148d50e7eade4e8 - carabiner-dev/actions/install/ampel-bootstrap@0a075bb75a68646d05f99c85cbbf2be40dd8e442 - carabiner-dev/actions/install/ampel-bootstrap@9db1a064ca5691ef6f5d983031739ca287de0968 +- carabiner-dev/actions/install/ampel-bootstrap@e0e3b8149dafed833431095bc148d50e7eade4e8 - carabiner-dev/actions/install/bnd@2a11d59a135c5e291f305f249a92ad7903e3ee0f - carabiner-dev/actions/install/bnd@e0e3b8149dafed833431095bc148d50e7eade4e8 - carabiner-dev/actions/install/download-and-verify@2a11d59a135c5e291f305f249a92ad7903e3ee0f - carabiner-dev/actions/install/download-and-verify@6022a065d6420de5d86333ecfb2b25c57f84b699 - carabiner-dev/actions/install/download-and-verify@9db1a064ca5691ef6f5d983031739ca287de0968 +- carabiner-dev/actions/install/download-and-verify@e0e3b8149dafed833431095bc148d50e7eade4e8 - carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 - carlosperate/arm-none-eabi-gcc-action@* - check-spelling/check-spelling@*