Forbidding non-approved actions in the quarkusio org GH Actions workflows

[Guillaume Smet]

Hi,

This is long overdue but given supply chain attacks are becoming more and more frequent (and probably made a lot easier as it's a lot easier to write code nowadays), I have plans to forbid all non-approved actions in the quarkusio org GH Actions workflows at the end of April.

That includes some very obvious culprits such as ad-m/github-push-action or crazy-max/ghaction-import-gpg.

There are a lot more as this has grown quite out of control, despite me asking several times to avoid using external actions.

I prepared a document in the wiki here: https://github.com/quarkusio/quarkus/wiki/GitHubActions .

If you are the maintainer of a repo under the quarkusio org, please have a look.

Note that the idea is to have an approve list. Everything that is not on the approve list will be forbidden.

My plan is to enforce this on April 30th so you have a bit more than a month to figure it out, mitigate the problem or ask for an exception (and it will require some good justification that we can't achieve the same outcome with reasonable effort).

You know where to find me if you need help or want to discuss the fate of a specific action.

And, yes, I know it's going to be disruptive and annoying, I'm sorry for that, but not doing it is not an option.

Note that I very much plan to do the exact same thing in the quarkiverse org next so moving your stuff to the Quarkiverse is not a good escape plan :).

-- 

Guillaume

[Eric Deandrea]

Is there room for discussion on some of these where it says "not sure what it is used for, needs an alternative”?

If you aren’t sure what its used for, how can you be sure it needs an alternative?

Eric Deandrea

Java Champion

Senior Principal Software Engineer

Quarkus | LangChain4j | Docling-Java

Red Hat

edea...@redhat.com    M: 603.453.5840

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo_0kppb5%2B2usUxzh0j5TnZRgtZBKNB0zAewcg4G1Ky8Xg%40mail.gmail.com.

[Guillaume Smet]

Hi Eric,

There's room for discussion but using an action that is maintained by a random guy on the Internet is probably a no-no.

Because no matter how practical it is, it's very unsafe.

I mentioned it numerous times for years.

We need to be VERY careful.

See for the latest episode of an ongoing series: https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html .

And this was not an action from a random guy.

And it's just one of many similar issues that have happened these past few years.

So, for the particular one you mention - there is only one in this particular situation - we need to clarify what it is used for BUT I think there's a good chance we will need an alternative.

Also the reason why I decided to move it right away in the "needs alternative" list is that the name of the action was pointing to something that wouldn't be that hard to reimplement - pending clarifications as mentioned.

There are a lot of others for which we need to clarify the situation and see if they actually bring something meaningful that we can't implement another way.

Claude might be able to write something that uses the gh CLI, or we might have to reimplement it on our own.

Or we might have to fork and audit all the code (and maintain it) - if more viable.

I know it's annoying, but believe me, if we get impacted by one of these fun things going on atm, it's going to be A LOT more annoying.

I'm here to help, discuss things and try to iterate on our options, once people have the time to go into specifics.

We have a month to figure it out, I think it's doable.

That's something we need to do and sooner rather than later.

Together with auditing all our workflows to reduce the permissions of the default tokens to the very minimum needed for this particular workflow.

Thanks.

-- 

Guillaume

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CAOTfCRUKW3rdVgaUd7qrTeDEdCYGERYJzWR%3DCaEYyuQb8bJuzg%40mail.gmail.com.

[Georgios Andrianakis]

On Mon, Mar 23, 2026 at 3:40 PM Guillaume Smet <guillau...@gmail.com> wrote:

Hi,

This is long overdue but given supply chain attacks are becoming more and more frequent (and probably made a lot easier as it's a lot easier to write code nowadays), I have plans to forbid all non-approved actions in the quarkusio org GH Actions workflows at the end of April.

+1 

That includes some very obvious culprits such as ad-m/github-push-action or crazy-max/ghaction-import-gpg.

There are a lot more as this has grown quite out of control, despite me asking several times to avoid using external actions.

I prepared a document in the wiki here: https://github.com/quarkusio/quarkus/wiki/GitHubActions .

If you are the maintainer of a repo under the quarkusio org, please have a look.

Note that the idea is to have an approve list. Everything that is not on the approve list will be forbidden.

My plan is to enforce this on April 30th so you have a bit more than a month to figure it out, mitigate the problem or ask for an exception (and it will require some good justification that we can't achieve the same outcome with reasonable effort).

You know where to find me if you need help or want to discuss the fate of a specific action.

And, yes, I know it's going to be disruptive and annoying, I'm sorry for that, but not doing it is not an option.

Note that I very much plan to do the exact same thing in the quarkiverse org next so moving your stuff to the Quarkiverse is not a good escape plan :).

This is minefield and IMHO cannot be done without a proper discussion

[Guillaume Smet]

On Mon, Mar 23, 2026 at 3:08 PM 'Georgios Andrianakis' via Quarkus Development mailing list <quark...@googlegroups.com> wrote:

Note that I very much plan to do the exact same thing in the quarkiverse org next so moving your stuff to the Quarkiverse is not a good escape plan :).

This is minefield and IMHO cannot be done without a proper discussion

I don't plan on doing anything for the quarkiverse without analyzing the situation properly - similar to what I did for the quarkusio org.

And I'm very sure it will require some additional work and discussion.

That's also why I started with quarkusio.

BUT the fact that it is a minefield makes it even more important IMHO.

BTW, there is still the option of adding exceptions - even if I would prefer we avoid that - as one exception might be enough.

What we don't want is to have more sneaking in without even noticing it.

The current situation of quarkusio is a good example of this problem, as it's a lot worse than I thought it would be.

-- 

Guillaume

[Sanne Grinovero]

Great initiative, thanks Guillaume.

--

You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo9AKx8wtn_c%2BWM-1rO0tozgtMtm4j%2B6TyQUDDxgmJUd-g%40mail.gmail.com.

[Marco Bungart]

Hi!

I update the quarkus-artemis workflows, since we used custom actions (they are gone now). I noticed that we used the action dcarbone/install-yq-action. Looking a bit around, I found commit 27b7294bd27be0dce1582f82ad71226020e9cfbb in quarkus-wiremock [1], that removes said action since yq is already provided with the default ubuntu image. I dug a little bit deeper and found this action in several extensions, e.g. in quarkus-barcode [2], quarkus-logging-manager [3], quarkus-quinoa [4]. I suspect that - at one point in the past - yq was not provided with the default ubuntu image. We should remove this action from the quarkiverse if possible.

Cheers,
Marco

[1]: https://github.com/quarkiverse/quarkus-wiremock/commit/27b7294bd27be0dce1582f82ad71226020e9cfbb
[2]: https://github.com/quarkiverse/quarkus-barcode/blob/e44d50652e79819fc8218dbf40a1a4e1839e4fd9/.github/workflows/quarkus-snapshot.yaml#L36
[3]: https://github.com/quarkiverse/quarkus-logging-manager/blob/46842cf1ec416cd8566c263ff4896e140f5a720a/.github/workflows/quarkus-snapshot.yaml#L38
[4]: https://github.com/quarkiverse/quarkus-quinoa/blob/c3486138aed017d86bbbfcbf5f37ecf2234b2ac5/.github/workflows/quarkus-snapshot.yaml#L38

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo_0kppb5%2B2usUxzh0j5TnZRgtZBKNB0zAewcg4G1Ky8Xg%40mail.gmail.com.

[Guillaume Smet]

Hey Marco,

On Mon, Mar 23, 2026 at 5:26 PM 'Marco Bungart' via Quarkus Development mailing list <quark...@googlegroups.com> wrote:

I update the quarkus-artemis workflows, since we used custom actions (they are gone now). I noticed that we used the action dcarbone/install-yq-action. Looking a bit around, I found commit 27b7294bd27be0dce1582f82ad71226020e9cfbb in quarkus-wiremock [1], that removes said action since yq is already provided with the default ubuntu image. I dug a little bit deeper and found this action in several extensions, e.g. in quarkus-barcode [2], quarkus-logging-manager [3], quarkus-quinoa [4]. I suspect that - at one point in the past - yq was not provided with the default ubuntu image. We should remove this action from the quarkiverse if possible.

Yes, totally. This one is in the list and yes, yq was a pain to install at some point thus the action.

It's all gone now and we can just drop it. If you want to help, feel free to push some PRs to these projects, that will be one less thing to handle.

We had it in quite a lot of our own quarkusio workflows - and we still do in some of them.

BTW, I fully acknowledge that this is such a shame that we can't have nice things, and use all these nice actions out there.

But things have deteriorated a lot these past few years as to how much we can trust other projects.

And it seems to have accelerated lately.

We will need to be very cautious. And it's going to be painful and annoying...

-- 

Guillaume

[Marco Bungart]

Hi!

I talked with Gerge Gastaldi. George is in the process of removing yq from all quarkiverse projects (there are scripts to do so, but they only work when the person running it has privileges to commit to all quarkiverse projects). So George is running the script :)

Cheers,
Marco

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo8_mU8bu2%3DaZgJ8Af6zVTTHHunt1wqtcWo-eJRUYR8uXw%40mail.gmail.com.

[George Gastaldi]

Patch script executed. You can see the list of all PRs created after the comment in https://github.com/quarkiverse/quarkiverse-devops/issues/315#issuecomment-4112174482

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/2bc63f0d-8aab-4f40-adea-6d43c097ca10%40googlemail.com.