From 82fa0d37d3a71ad588b7e9f0bbcbad604718a0c4 Mon Sep 17 00:00:00 2001 From: "Doroszlai, Attila" Date: Sat, 4 Jul 2026 15:31:54 +0200 Subject: [PATCH] HDDS-15719. Add check for allowed action usage in workflows --- .github/workflows/asf-allowlist-check.yaml | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/asf-allowlist-check.yaml diff --git a/.github/workflows/asf-allowlist-check.yaml b/.github/workflows/asf-allowlist-check.yaml new file mode 100644 index 0000000..dfbcec3 --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yaml @@ -0,0 +1,49 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: "ASF Allowlist Check" + +on: + workflow_dispatch: + pull_request: + paths: + - ".github/workflows/**" + push: + branches-ignore: + - 'dependabot/**' + tags: + - '**' + paths: + - ".github/workflows/**" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || case(github.repository_owner == 'apache', github.sha, github.ref_name) }} + cancel-in-progress: ${{ github.event_name == 'pull_request' || github.repository_owner != 'apache' }} + +jobs: + asf-allowlist-check: + runs-on: ubuntu-slim + steps: + - name: Checkout project + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - name: Check actions + uses: apache/infrastructure-actions/allowlist-check@775350a154e610e84c460cb1bbe2d2ab26c15cb3 + with: + scan-glob: ".github/workflows/*.y*ml"