You are viewing a plain text version of this content. The canonical link for it is here.

Posted to builds@apache.org by Benjamin Marwell <bm...@apache.org> on 2020/12/29 13:51:18 UTC

Issue with new github actions security policy

Hi infra team,

The maven-jlink-plugin needs a second JDK as a toolchain JDK. While all
jenkins builds do have this by default, we worked around it in github
actions by using a 3rd-party jabba action [1].

Due to the new security policy, this build is now broken:

"battila7/jdk-via-jabba@v1 is not allowed to be used in
apache/maven-jlink-plugin. Actions in this workflow must be: created by
GitHub, verified in the GitHub Marketplace, within a repository owned by
apache or match the following: adoptopenjdk/*, apache/*,
gradle/wrapper-validation-action."

Interestingly, there is no "adoptopenjdk/*" action.

The current workflow file uses jdk-via-jabba, as this action can control
the variable it puts the path into [2].

Please suggest a new solution.

Also, if new security policies are created, kindly send a mail to the
maven-dev mailing list.

Thanks,
- Ben

[1]:
https://github.com/apache/maven-jlink-plugin/blob/MJLINK-62/.github/workflows/maven.yml
[2]:
https://github.com/apache/maven-jlink-plugin/blob/91cc1cfec38b3863d578aa281e82b062819c3c92/.github/workflows/maven.yml#L50