You are viewing a plain text version of this content. The canonical link for it is here.
Posted to builds@apache.org by Benjamin Marwell <bm...@apache.org> on 2020/12/29 13:51:18 UTC
Issue with new github actions security policy
Hi infra team,
The maven-jlink-plugin needs a second JDK as a toolchain JDK. While all
jenkins builds do have this by default, we worked around it in github
actions by using a 3rd-party jabba action [1].
Due to the new security policy, this build is now broken:
"battila7/jdk-via-jabba@v1 is not allowed to be used in
apache/maven-jlink-plugin. Actions in this workflow must be: created by
GitHub, verified in the GitHub Marketplace, within a repository owned by
apache or match the following: adoptopenjdk/*, apache/*,
gradle/wrapper-validation-action."
Interestingly, there is no "adoptopenjdk/*" action.
The current workflow file uses jdk-via-jabba, as this action can control
the variable it puts the path into [2].
Please suggest a new solution.
Also, if new security policies are created, kindly send a mail to the
maven-dev mailing list.
Thanks,
- Ben
[1]:
https://github.com/apache/maven-jlink-plugin/blob/MJLINK-62/.github/workflows/maven.yml
[2]:
https://github.com/apache/maven-jlink-plugin/blob/91cc1cfec38b3863d578aa281e82b062819c3c92/.github/workflows/maven.yml#L50