[CI] Add ASF allowlist check workflow#7475
Conversation
github-actions
Bot
added
the
kind:infra
|
|
||
| jobs: | ||
| asf-allowlist-check: | ||
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
does ubuntu-slim work? it's cheaper
There was a problem hiding this comment.
Thanks for pointing that out!
I wasn't aware of the ubuntu-slim option and copied the runner used in all other workflows.
Regarding pricing, my understanding is that it should be free for public repositories, but please let me know if I'm missing something here. If you think we should address it for this workflow, then it would be great to check the other workflows like stale.yml and greetings.yml as well.
There was a problem hiding this comment.
All Apache projects share a GitHub Actions quota limit. They have asked some projects' PMC that consume a large amount of quota to reduce their usage, and have also encouraged all projects to do so. And yes, we can move some other light workflows to ubuntu-slim too. I'm also investigating if we can speed up our CI by caching the engine tgz in a smarter way to improve the cache hit rate instead of triggering download from the asf site, especially from archive.apache.org, which is quite slow and fragile.
There was a problem hiding this comment.
👍 Thank you for the detailed explanation. I've changed the runner to ubuntu-slim.
|
Thank you for the review! Merged to master. |
2 participants
Why are the changes needed?
These changes are needed to ensure compliancy with ASF GitHub Actions Policy.
The workflow verifies all
uses:refs in a project's workflow files are on the ASF Infrastructure approved allowlist.It catches violations before merge, preventing the silent CI failures that occur when an action is not on the org-level allowlist.
See more details here.
Related to [Umbrella] Ensure GitHub Actions compliance with ASF Policy #7456.
Similar PRs:
How was this patch tested?
Review.
Was this patch authored or co-authored using generative AI tooling?
No