Skip to content

Fix chart 1-2x line CI startup failure from non-allowlisted actions#69630

Merged
potiuk merged 1 commit into
chart/v1-2x-testfrom
backport-ci-allowlist-and-action-bumps-chart
Jul 8, 2026
Merged

Fix chart 1-2x line CI startup failure from non-allowlisted actions#69630
potiuk merged 1 commit into
chart/v1-2x-testfrom
backport-ci-allowlist-and-action-bumps-chart

Conversation

@potiuk

@potiuk potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member

PRs targeting chart/v1-2x-test failed to run any CI — every workflow run ended in startup_failure and the PR showed only branch-independent bot checks (Mergeable/WIP), so a change could sit with no tests, static checks, or CodeQL (e.g. #69579).

Root cause: the branch pinned aws-actions/configure-aws-credentials@8df5847… (v6.0.0), a version no longer on the ASF Actions allowlist. GitHub refuses to start a workflow that references a non-allowlisted action, and a startup_failure emits no check runs — which is why the failure was invisible on the PR. main already runs the allowlisted v6.2.1, which is why main PRs are unaffected.

This PR:

  • Bumps the 16 stale action pins on this branch to the allowlisted revisions already used on main (configure-aws-credentials → v6.2.1, actions/checkout → v7.0.0, actions/upload-artifact → v7.0.1, github/codeql-action → v4.36.2, astral-sh/setup-uv → v8.2.0, slackapi/slack-github-action → v3.0.3, pnpm/action-setup → v6.0.9, actions/setup-node/setup-go/setup-java, actions/stale, actions/github-script, apache/infrastructure-actions/stash).
  • Adds the ASF Allowlist Check workflow (ported from main) so future drift onto a non-allowlisted action is caught here instead of silently breaking CI.

chart/v1-2x-stable carries the same stale pins and needs the same fix as a follow-up.


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Opus 4.8)

Generated-by: Claude Code (Opus 4.8) following the guidelines

Pull requests targeting chart/v1-2x-test failed to run any CI: every run
ended in startup_failure and reported only branch-independent bot checks,
so a PR could sit with no tests, static checks, or CodeQL. The cause was
aws-actions/configure-aws-credentials pinned at v6.0.0, a version no longer
on the ASF Actions allowlist; GitHub refuses to start a workflow that
references a non-allowlisted action, and startup_failure produces no check
runs, which is why the failure was invisible on the PR.

Bump the stale action pins on this branch to the allowlisted revisions already
used on main, and add the ASF Allowlist Check workflow so future drift onto a
non-allowlisted action is caught here instead of silently breaking CI.
@potiuk potiuk merged commit e386677 into chart/v1-2x-test Jul 8, 2026
116 checks passed
@potiuk potiuk deleted the backport-ci-allowlist-and-action-bumps-chart branch July 8, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants