Skip to content

[#11819] fix(ci): Use approved setup actions and add ASF actions allowlist check#11820

Merged
jerryshao merged 1 commit into
apache:mainfrom
mchades:issue-11819
Jun 29, 2026
Merged

[#11819] fix(ci): Use approved setup actions and add ASF actions allowlist check#11820
jerryshao merged 1 commit into
apache:mainfrom
mchades:issue-11819

Conversation

@mchades

@mchades mchades commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

  1. Update .github/workflows/chart-release.yaml and .github/workflows/chart-test.yaml to use the secure, approved commit SHA 9bc31f4ebc9c6b171d7bfbaa5d006ae7abdb4310 (corresponding to release tag v5.0.1) for azure/setup-helm.
  2. Roll back helm/chart-testing-action in .github/workflows/chart-test.yaml to commit 2fe8321ec9b8d234608c02c67623a886b72d7335 to avoid invoking the unapproved setup-uv action in its latest version.
  3. Update .github/workflows/chart-test.yaml to use the secure, approved commit SHA 829323503d1be3d00ca8346e5391ca0b07a9ab0d (corresponding to release tag v5.1.0) for azure/setup-kubectl.
  4. Update .github/workflows/trino-multi-version-test.yml to use the secure, approved commit SHA ce360397dd3f832beb865e1373c09c0e9f86d70a (corresponding to release tag v4.0.0) for docker/setup-qemu-action.
  5. Add a new .github/workflows/asf-allowlist-check.yml workflow to automatically check the allowlist compliance of GitHub Actions on pull requests modifying .github/ directory.

Why are the changes needed?

  1. The manual trigger of the Publish Helm Charts workflow failed because the Apache foundation security policy restricts third-party actions using version tags like @v4.3.0.
  2. The latest commit of helm/chart-testing-action transitively invokes astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c which is not on the ASF Infrastructure allowed actions list. Rolling it back to the commit before introducing setup-uv resolves the issue.
  3. The old commit SHA 15650b3ad78fff148532a140b8a4c821796b2d7b used for azure/setup-kubectl is scheduled to expire on 2026-07-11 according to the allowed list, which requires an upgrade.
  4. The tag version v3 for docker/setup-qemu-action used in trino-multi-version-test.yml violates the security policy.
  5. Adding the asf-allowlist-check workflow helps prevent similar silent "startup failure" issues in the future at the PR phase.

Fix: #11819

Does this PR introduce any user-facing change?

No.

How was this patch tested?

This is a GitHub Actions workflow configuration change. The commit SHAs are verified against the ASF Actions allowed list.

@mchades mchades added the branch-1.3 Automatically cherry-pick commit to branch-1.3 label Jun 29, 2026
@github-actions

Copy link
Copy Markdown

Code Coverage Report

Overall Project 67.23% 🟢
Files changed No Java source files changed -

Module Coverage
aliyun 1.72% 🔴
api 46.82% 🟢
authorization-common 85.96% 🟢
aws 26.5% 🔴
azure 2.47% 🔴
catalog-common 10.4% 🔴
catalog-fileset 80.23% 🟢
catalog-glue 66.91% 🟢
catalog-hive 79.42% 🟢
catalog-jdbc-clickhouse 80.02% 🟢
catalog-jdbc-common 44.22% 🟢
catalog-jdbc-doris 80.28% 🟢
catalog-jdbc-hologres 54.03% 🟢
catalog-jdbc-mysql 79.23% 🟢
catalog-jdbc-oceanbase 80.91% 🟢
catalog-jdbc-postgresql 82.29% 🟢
catalog-jdbc-starrocks 78.51% 🟢
catalog-kafka 77.01% 🟢
catalog-lakehouse-generic 58.53% 🟢
catalog-lakehouse-hudi 79.1% 🟢
catalog-lakehouse-iceberg 85.94% 🟢
catalog-lakehouse-paimon 82.14% 🟢
catalog-model 77.72% 🟢
cli 44.51% 🟢
client-java 78.01% 🟢
common 50.17% 🟢
core 82.58% 🟢
filesystem-hadoop3 77.3% 🟢
flink 0.0% 🔴
flink-common 47.12% 🟢
flink-runtime 0.0% 🔴
gcp 14.12% 🔴
hadoop-common 10.88% 🔴
hive-metastore-common 53.77% 🟢
iceberg-common 58.15% 🟢
iceberg-rest-server 73.9% 🟢
idp-basic 85.71% 🟢
integration-test-common 0.0% 🔴
jobs 66.17% 🟢
lance-common 20.83% 🔴
lance-rest-server 60.13% 🟢
lineage 53.02% 🟢
optimizer 82.95% 🟢
optimizer-api 21.95% 🔴
server 86.09% 🟢
server-common 74.18% 🟢
spark 28.57% 🔴
spark-common 41.66% 🟢
trino-connector 40.29% 🟢

@yuqi1129 yuqi1129 removed the branch-1.3 Automatically cherry-pick commit to branch-1.3 label Jun 29, 2026
@jerryshao jerryshao merged commit fbecb1a into apache:main Jun 29, 2026
34 checks passed
@mchades mchades deleted the issue-11819 branch June 29, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] Fix chart-release workflow startup failure

3 participants