Restricting GitHub Actions allowed in the quarkusio org - follow-up

37 views
Skip to first unread message

Guillaume Smet

unread,
May 13, 2026, 11:05:44 AM (10 days ago) May 13
to Quarkus Development mailing list
Hi,

As mentioned in https://groups.google.com/g/quarkus-dev/c/FBplXH85mM8, we are going to restrict the GitHub Actions that can be used in the quarkusio organization.

We will have a manually maintained list of vetted GitHub Actions that are authorized in the org, anything else won't work.
Any addition to this list will have to be analyzed thoroughly and, in particular, we won't allow actions developed by random individuals. This is unfortunate as it's really nice to be able to consume actions but it has been used as a supply chain attack vector so we need to be extremely careful.

A lot of work has been done to improve our situation compared to when I first sent the initial email, thanks a lot to everyone involved in this effort.

There are still a couple of problematic repositories though:

--- quarkusio/quarkus-devtools-compat ---
  dcarbone/install-yq-action -> this is not needed anymore, you can just drop it
  dorny/test-reporter -> not sure what it is used for and we need to discuss what to do about it, please ping me

--- quarkusio/quarkus-workshop-agentic ---
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

--- quarkusio/quarkus-workshop-langchain4j ---
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

--- quarkusio/quarkus-workshops ---
  actions-cool/maintain-one-comment -> see https://github.com/quarkusio/quarkusio.github.io/blob/19e855efbb6f58760fbe14326611becaecbea736/.github/workflows/preview.yml#L60-L70 or https://github.com/quarkusio/quarkusio.github.io/blob/19e855efbb6f58760fbe14326611becaecbea736/.github/workflows/preview-teardown.yml#L18-L27
  dawidd6/action-download-artifact -> the standard action from GitHub should handle everything properly now, please switch to it
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

The initial deadline was at the end of April and we are already mid-May so I will put the restrictions in place, please have a look at these projects if you're involved in them or want to help and ping me if you need help with this.

Thanks.

-- 
Guillaume

Georgios Andrianakis

unread,
May 13, 2026, 11:23:44 AM (10 days ago) May 13
to Quarkus Development mailing list
Thanks for the follow up 


On Wed, May 13, 2026, 18:05 Guillaume Smet <guillau...@gmail.com> wrote:
Hi,

As mentioned in https://groups.google.com/g/quarkus-dev/c/FBplXH85mM8, we are going to restrict the GitHub Actions that can be used in the quarkusio organization.

We will have a manually maintained list of vetted GitHub Actions that are authorized in the org, anything else won't work.
Any addition to this list will have to be analyzed thoroughly and, in particular, we won't allow actions developed by random individuals. This is unfortunate as it's really nice to be able to consume actions but it has been used as a supply chain attack vector so we need to be extremely careful.

A lot of work has been done to improve our situation compared to when I first sent the initial email, thanks a lot to everyone involved in this effort.

There are still a couple of problematic repositories though:

--- quarkusio/quarkus-devtools-compat ---
  dcarbone/install-yq-action -> this is not needed anymore, you can just drop it
  dorny/test-reporter -> not sure what it is used for and we need to discuss what to do about it, please ping me

--- quarkusio/quarkus-workshop-agentic ---
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

This was actually fixed by George just a little while ago

--- quarkusio/quarkus-workshop-langchain4j ---
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

--- quarkusio/quarkus-workshops ---
  actions-cool/maintain-one-comment -> see https://github.com/quarkusio/quarkusio.github.io/blob/19e855efbb6f58760fbe14326611becaecbea736/.github/workflows/preview.yml#L60-L70 or https://github.com/quarkusio/quarkusio.github.io/blob/19e855efbb6f58760fbe14326611becaecbea736/.github/workflows/preview-teardown.yml#L18-L27
  dawidd6/action-download-artifact -> the standard action from GitHub should handle everything properly now, please switch to it
  peaceiris/actions-gh-pages -> we should use the standard GH stuff for publishing pages

The initial deadline was at the end of April and we are already mid-May so I will put the restrictions in place, please have a look at these projects if you're involved in them or want to help and ping me if you need help with this.

Thanks.

-- 
Guillaume

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo_uNp%2BTtY90iWic8Mzxu8n6RLBcP1iYKw7aRyVtk6xNAA%40mail.gmail.com.

Guillaume Smet

unread,
May 13, 2026, 1:09:24 PM (9 days ago) May 13
to quark...@googlegroups.com
The restrictions are now in place.

Please ping me if you see anything odd.

Thanks.

-- 
Guillaume

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALeTM-%3D5nPiwJVr3w2B%2BjoFR8v%2B%2BrYtsmsLPExRKBexRTVoCmA%40mail.gmail.com.

Fouad Almalki

unread,
May 13, 2026, 1:21:40 PM (9 days ago) May 13
to quark...@googlegroups.com
CI failed in this PR: https://github.com/quarkusio/quarkus/pull/54196

Error: The action runs-on/action@15385172809cc0346c6821b00c3c3dd2598785b4 is not allowed in quarkusio/quarkus because all actions must be from a repository owned by quarkusio, created by GitHub, or match one of the patterns: azure/docker-login, azure/setup-helm, azure/static-web-apps-deploy, dependabot/fetch-metadata, docker/build-push-action, docker/login-action, docker/setup-buildx-action, docker/setup-qemu-action, graalvm/setup-graalvm, gradle/actions/setup-gradle, gradle/develocity-actions/maven-publish-build-scan, gradle/develocity-actions/setup-maven, jbangdev/jbang-action, jbangdev/setup-jbang, jreleaser/release-action, oracle-actions/setup-java, redhat-actions/oc-login, redhat-actions/openshift-tools-installer, redhat-actions/podman-login, ruby/setup-ruby.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CALt0%2Bo8JmNpyUbviK1WHJkQt3cXCm_OcuAVbyOwPW7vLPH7rAw%40mail.gmail.com.

Guillaume Smet

unread,
May 13, 2026, 3:47:14 PM (9 days ago) May 13
to quark...@googlegroups.com
Yeah, I noticed and pushed some changes, I have a run that looks more promising but still waiting for a full run to be sure.

I will restart the CI job once things are better.

The format wasn't described that clearly and (obviously) there's no validation at all for the format.

To view this discussion visit https://groups.google.com/d/msgid/quarkus-dev/CAJ7JGjY_NcEHkfkpeNC%2BUrDdhZaE%3D3_EAor%3Dp%3DTxp2ajw1cqew%40mail.gmail.com.

Max Rydahl Andersen

unread,
May 15, 2026, 1:05:34 AM (8 days ago) May 15
to quark...@googlegroups.com

Hi,

Yesterday it was found “radcortez/milestone-release-action@main” and “radcortez/project-metadata-action@main”
Was missing and made quarkus-agent-mcp build fail (see https://quarkusio.zulipchat.com/#narrow/channel/187038-dev/topic/Quarkiverse.20Prepare.20Release.20fails/with/595067663)

Those two actions now got moved to smallrye org.

I added radcortez actions to the list temporarily to unblock the builds but this morning they are not there.

Two questions:

  1. can we add smallrye/* or we add the explicit listed ones to the list?
  2. Where do we add them if not via the GitHub action UI so they stay in place?

/max

Guillaume Smet

unread,
May 15, 2026, 3:26:41 AM (8 days ago) May 15
to quark...@googlegroups.com
I added both in the org settings.

Let me know if there are further issues.
Reply all
Reply to author
Forward
0 new messages