Skip to content

allowlist-check: warn about upcoming action expirations (closes #987)#1038

Merged
raboof merged 1 commit into
mainfrom
feature/allowlist-expiry-warnings-987
Jul 14, 2026
Merged

allowlist-check: warn about upcoming action expirations (closes #987)#1038
raboof merged 1 commit into
mainfrom
feature/allowlist-expiry-warnings-987

Conversation

@potiuk

@potiuk potiuk commented Jul 13, 2026

Copy link
Copy Markdown
Member

Closes #987.

Problem

Approved action versions don't live forever: when a newer version is approved, an older pinned SHA is given an expires_at grace period (typically ~3 months) and is eventually removed from the allowlist. Once removed, any workflow still pinning that SHA starts failing the allowlist check -- with no prior warning.

What this adds

allowlist-check now also fetches actions.yml (which carries the expires_at metadata that approved_patterns.yml doesn't) and emits a non-failing ::warning:: for any allowlisted pin in the caller's workflows that expires within expiry-warning-days (new input, default 30):

1 allowlisted ref(s) expiring within 30 day(s) -- bump these to a newer approved version before they are removed:
::warning file=.github/workflows/ci.yml::some-org/some-action@abc123 is allowlisted but its approved pin expires on 2026-07-25 (in 12 day(s)); bump to a newer approved version to avoid a future CI failure.

Warnings never change the exit code -- they surface in the job log and PR annotations so projects get advance notice.

Details

  • check_asf_allowlist.py: load_expiry_map() + upcoming_expiry_warnings() (pure, unit-tested) helpers, emit_expiry_warnings(), and an optional second CLI arg for actions.yml. The 1-arg invocation stays fully backward-compatible (no warnings, unchanged behavior).
  • action.yml: fetches actions.yml best-effort (if it can't be fetched, the check still runs, just without expiry warnings) and passes the new EXPIRY_WARNING_DAYS.
  • New tests (48 pass total) + README docs (input table + "Expiry warnings" section).

Set to 0 to warn only once a pin has actually expired, or raise it (e.g. "60") for earlier notice.

Note

I implemented this from the issue title/intent -- GitHub's API was unreachable from my environment when I built it, so I couldn't read the issue body verbatim. If #987 specified a different threshold default, warn-vs-fail behavior, or data source, say the word and I'll adjust.

🤖 Generated with Claude Code

Approved action versions are given an expires_at grace period (typically ~3
months) when a newer version lands, and are eventually removed from the
allowlist -- at which point workflows still pinning the old SHA start failing
the allowlist check. Projects previously had no advance notice.

allowlist-check now also fetches actions.yml (which carries the expires_at
metadata that approved_patterns.yml lacks) and emits a non-failing
::warning:: for any allowlisted pin in the caller's workflows that expires
within 'expiry-warning-days' (new input, default 30). Warnings never change
the exit code; they surface in the job log / PR annotations so projects can
bump the pin before it breaks.

- check_asf_allowlist.py: load_expiry_map() + upcoming_expiry_warnings() pure
  helpers, emit_expiry_warnings(), and an optional second CLI arg for
  actions.yml (1-arg invocation stays backward-compatible).
- action.yml: fetch actions.yml (best-effort) and pass EXPIRY_WARNING_DAYS.
- Tests for the new logic (48 pass) and README documentation.

Generated-by: Claude Opus 4.8 (1M context) via Claude Code
@raboof

raboof commented Jul 14, 2026

Copy link
Copy Markdown
Member

This should ideally rarely happen since dependabot (or equivalent) should be creating update PRs and these should be reviewed and merged, but I can see how it might be helpful to have an additional signal that such an update is still pending.

@raboof raboof merged commit b786540 into main Jul 14, 2026
8 checks passed
@raboof raboof deleted the feature/allowlist-expiry-warnings-987 branch July 14, 2026 09:47
@adoroszlai

Copy link
Copy Markdown
Contributor

Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

allowlist-check: warn about upcoming expirations

3 participants