Skip to content

Remove 14 unused wildcard actions from allowlist (part of #666)#1036

Merged
raboof merged 2 commits into
mainfrom
security/remove-unused-wildcards-666
Jul 14, 2026
Merged

Remove 14 unused wildcard actions from allowlist (part of #666)#1036
raboof merged 2 commits into
mainfrom
security/remove-unused-wildcards-666

Conversation

@potiuk

@potiuk potiuk commented Jul 12, 2026

Copy link
Copy Markdown
Member

Part of #666, motivated by #891.

Each of these actions is allowlisted with a wildcard ('*': keep: true) but is not referenced by any apache/* repository (checked via org-wide code search on default branches). A wildcard approves any ref of an action, which -- as the actions-cool compromise (#891) showed -- is the exact door a hijacked tag walks through. Removing unused wildcards shrinks that attack surface and keeps the list under its size cap; any of these can be re-added on demand (with review) if a project actually needs it.

Removed (14)

bytedeco/javacpp-presets           jarvusinnovations/background-action
check-spelling/check-spelling      mvasigh/dispatch-action
clechasseur/rs-cargo               shufo/auto-assign-reviewer-by-files
codspeedhq/action                  timonvs/pr-labeler-action
container-tools/microshift-action  wei/curl
delaguardo/setup-graalvm           xpol/setup-lua
golang/govulncheck-action          gsactions/commit-message-checker

approved_patterns.yml updated to match (surgical diff).

Not touched

  • 4 namespace-wildcards (golangci/*, r-lib/actions/*, quarto-dev/quarto-actions/*, rustsec/*) are in active use -- kept, flagged in Review and where possible remove wildcard/keep actions #666 as candidates to narrow to specific sub-actions in a follow-up.
  • 83 single-action wildcards in active use are kept.

Caveat

"Unused" = no usage found on indexed default branches; a usage on a non-default branch or an un-indexed repo would not appear. Treated as strong candidates, not blind deletions. Full analysis in #666.

🤖 Generated with Claude Code

Each of these actions is allowlisted with a wildcard ('*': keep: true) but is
not referenced by any apache/* repository (checked via org-wide code search on
default branches). Wildcards approve *any* ref of an action, which -- as the
actions-cool compromise (#891) showed -- is the exact door a hijacked tag walks
through. Removing unused wildcards shrinks that attack surface and keeps the
list under its size cap; any of these can be re-added on demand (with review)
if a project actually needs it.

Removed:
  bytedeco/javacpp-presets, check-spelling/check-spelling, clechasseur/rs-cargo,
  codspeedhq/action, container-tools/microshift-action, delaguardo/setup-graalvm,
  golang/govulncheck-action, gsactions/commit-message-checker,
  jarvusinnovations/background-action, mvasigh/dispatch-action,
  shufo/auto-assign-reviewer-by-files, timonvs/pr-labeler-action, wei/curl,
  xpol/setup-lua

approved_patterns.yml updated to match (surgical diff).

Note: 'unused' means no usage found on indexed default branches; a usage on a
non-default branch or an un-indexed repo would not appear. See #666 for the
full wildcard analysis.

Generated-by: Claude Opus 4.8 (1M context) via Claude Code

@raboof raboof left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome!

typically we ask that you only edit actions.yml and leave approved_patterns.yml to be automatically updated, but I guess it can't hurt.

Signed-off-by: Arnout Engelen <engelen@apache.org>
@raboof raboof merged commit ef75f6c into main Jul 14, 2026
11 checks passed
@raboof raboof deleted the security/remove-unused-wildcards-666 branch July 14, 2026 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants