Remove 14 unused wildcard actions from allowlist (part of #666)#1036
Merged
Conversation
Each of these actions is allowlisted with a wildcard ('*': keep: true) but is
not referenced by any apache/* repository (checked via org-wide code search on
default branches). Wildcards approve *any* ref of an action, which -- as the
actions-cool compromise (#891) showed -- is the exact door a hijacked tag walks
through. Removing unused wildcards shrinks that attack surface and keeps the
list under its size cap; any of these can be re-added on demand (with review)
if a project actually needs it.
Removed:
bytedeco/javacpp-presets, check-spelling/check-spelling, clechasseur/rs-cargo,
codspeedhq/action, container-tools/microshift-action, delaguardo/setup-graalvm,
golang/govulncheck-action, gsactions/commit-message-checker,
jarvusinnovations/background-action, mvasigh/dispatch-action,
shufo/auto-assign-reviewer-by-files, timonvs/pr-labeler-action, wei/curl,
xpol/setup-lua
approved_patterns.yml updated to match (surgical diff).
Note: 'unused' means no usage found on indexed default branches; a usage on a
non-default branch or an un-indexed repo would not appear. See #666 for the
full wildcard analysis.
Generated-by: Claude Opus 4.8 (1M context) via Claude Code
raboof
approved these changes
Jul 14, 2026
raboof
left a comment
Member
There was a problem hiding this comment.
awesome!
typically we ask that you only edit actions.yml and leave approved_patterns.yml to be automatically updated, but I guess it can't hurt.
Signed-off-by: Arnout Engelen <engelen@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #666, motivated by #891.
Each of these actions is allowlisted with a wildcard (
'*': keep: true) but is not referenced by anyapache/*repository (checked via org-wide code search on default branches). A wildcard approves any ref of an action, which -- as the actions-cool compromise (#891) showed -- is the exact door a hijacked tag walks through. Removing unused wildcards shrinks that attack surface and keeps the list under its size cap; any of these can be re-added on demand (with review) if a project actually needs it.Removed (14)
approved_patterns.ymlupdated to match (surgical diff).Not touched
golangci/*,r-lib/actions/*,quarto-dev/quarto-actions/*,rustsec/*) are in active use -- kept, flagged in Review and where possible remove wildcard/keep actions #666 as candidates to narrow to specific sub-actions in a follow-up.Caveat
"Unused" = no usage found on indexed default branches; a usage on a non-default branch or an un-indexed repo would not appear. Treated as strong candidates, not blind deletions. Full analysis in #666.
🤖 Generated with Claude Code