When authoring GH workflows, people may add new or change action references (uses:).
Also dependabot and Renovate change action references.
If the workflows/jobs/steps are not run when such an action reference is added or changed, either by humans or bots, those are not validated against the set of allowed actions.
It would be nice for ASF projects to be able to validate their workflow files before a change is being merged, as part of their usual CI jobs.
I can imagine, that a workflow in the apache/infrastructure-actions could provide the necessary logic to check all uses: against the allowed actions. That workflow could then be called, via workflow_call, from projects' workflows, so those do not need to copy any code.
When authoring GH workflows, people may add new or change action references (
uses:).Also dependabot and Renovate change action references.
If the workflows/jobs/steps are not run when such an action reference is added or changed, either by humans or bots, those are not validated against the set of allowed actions.
It would be nice for ASF projects to be able to validate their workflow files before a change is being merged, as part of their usual CI jobs.
I can imagine, that a workflow in the
apache/infrastructure-actionscould provide the necessary logic to check alluses:against the allowed actions. That workflow could then be called, viaworkflow_call, from projects' workflows, so those do not need to copy any code.