From 1a9b08e7f267ba1c22ca4fe19414613a5e2e9d0f Mon Sep 17 00:00:00 2001 From: pat Date: Tue, 30 Jun 2026 12:51:44 -0400 Subject: [PATCH] ci: add throwaway diagnostic to check Allowed Actions policy Confirms whether actions-cool/maintain-one-comment is blocked by the org GitHub Actions "Allowed actions" policy, which is the suspected root cause of the ephemeral instance test failing with "Repository access blocked". Delete once confirmed. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/check-allowed-actions.yml | 42 +++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/check-allowed-actions.yml diff --git a/.github/workflows/check-allowed-actions.yml b/.github/workflows/check-allowed-actions.yml new file mode 100644 index 0000000..c2f5d87 --- /dev/null +++ b/.github/workflows/check-allowed-actions.yml @@ -0,0 +1,42 @@ +name: Check Allowed Actions Policy + +# Throwaway diagnostic: confirms whether `actions-cool/maintain-one-comment` +# is blocked by the org's GitHub Actions "Allowed actions" policy. +# "Repository access blocked" surfaces at job PREP (before any step runs), +# so referencing the action is enough to trigger the block if it exists. +# Run via the Actions tab (workflow_dispatch). Delete once confirmed. + +on: + workflow_dispatch: + push: + branches: + - 'check-allowed-actions' + +jobs: + # Control: a third-party action we KNOW is allowed (ci.yml uses it and passes). + # Proves the runner/policy isn't blocking third-party actions wholesale. + control-known-allowed: + name: 'Control: jenseng/dynamic-uses (known allowed)' + runs-on: ubuntu-latest + steps: + - uses: jenseng/dynamic-uses@8bc24f0360175e710da532c4d19eafdbed489a06 # v1 + with: + uses: actions/github-script@v7 + with: |- + { "script": "console.log('dynamic-uses prep + run OK')" } + + # Suspect: the action used only in the ephemeral path. + # If blocked, this job fails at "Getting action download info" with + # "Repository access blocked" and the PREP-PASSED step never runs. + suspect-maintain-one-comment: + name: 'Suspect: actions-cool/maintain-one-comment' + runs-on: ubuntu-latest + steps: + - name: Reference the suspect action + continue-on-error: true + uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3 + with: + token: ${{ github.token }} + body: 'allowed-actions diagnostic (ignore)' + - name: PREP PASSED — action is ALLOWED + run: echo "If you can read this, the action downloaded fine and is NOT blocked."