From 1ce3ffc9a79961dd5b6bf02506d8a4cf6d26d75d Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Tue, 19 May 2026 00:41:29 +0200 Subject: [PATCH 1/3] allowlist: add carabiner-dev install/{download-and-verify,ampel-bootstrap} (levels 2-3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to #831 — that PR added the level-1 transitive siblings install/{ampel,bnd} @ v1.1.7 (SHA 2a11d59a135c5e291f305f249a92ad7903e3ee0f), but the sibling-call chain rooted at carabiner-dev/actions/ampel/verify@v1.2.0 is actually four levels deep: ampel/verify @ v1.2.0 (e0e3b81…) └── install/{ampel,bnd} @ v1.1.7 (2a11d59…) [added by #831] └── install/download-and-verify (6022a06…) [this PR] └── install/ampel-bootstrap (0a075bb…) [this PR] ampel-bootstrap is a leaf — no further sibling refs. After this PR the check-for-transitive-failures workflow should go green; the immediately preceding failure log was on the missing download-and-verify SHA. Underlying scaling issue (sibling-chain pattern explosion) tracked at #852 and upstream at carabiner-dev/actions#57. Generated-by: Claude Opus 4.7 (1M context) --- actions.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/actions.yml b/actions.yml index c9574434..1d958f39 100644 --- a/actions.yml +++ b/actions.yml @@ -184,6 +184,15 @@ carabiner-dev/actions/install/bnd: 2a11d59a135c5e291f305f249a92ad7903e3ee0f: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 tag: v1.1.7 +carabiner-dev/actions/install/download-and-verify: + 6022a065d6420de5d86333ecfb2b25c57f84b699: + # level-2 transitive: called by install/{ampel,bnd} @ v1.1.7 + tag: v1.1.7 +carabiner-dev/actions/install/ampel-bootstrap: + 0a075bb75a68646d05f99c85cbbf2be40dd8e442: + # level-3 transitive: called by install/download-and-verify + # (per upstream: "bootstrap rotated to ampel v1.2.1") + tag: v1.1.7 carloscastrojumo/github-cherry-pick-action: 503773289f4a459069c832dc628826685b75b4b3: tag: v1.0.10 From fbaceb6d578e411f429acef40a963713051ded46 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Tue, 19 May 2026 01:10:58 +0200 Subject: [PATCH 2/3] fixup: sort actions.yml alphabetically (sort-actions-yml hook) The sort-actions-yml hook re-orders alphabetically by key, which places install/ampel-bootstrap between install/ampel and install/bnd rather than after install/download-and-verify (the depth-ordered position I originally used). Generated-by: Claude Opus 4.7 (1M context) --- actions.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/actions.yml b/actions.yml index 1d958f39..53a320c9 100644 --- a/actions.yml +++ b/actions.yml @@ -180,6 +180,11 @@ carabiner-dev/actions/install/ampel: 2a11d59a135c5e291f305f249a92ad7903e3ee0f: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 tag: v1.1.7 +carabiner-dev/actions/install/ampel-bootstrap: + 0a075bb75a68646d05f99c85cbbf2be40dd8e442: + # level-3 transitive: called by install/download-and-verify + # (per upstream: "bootstrap rotated to ampel v1.2.1") + tag: v1.1.7 carabiner-dev/actions/install/bnd: 2a11d59a135c5e291f305f249a92ad7903e3ee0f: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 @@ -188,11 +193,6 @@ carabiner-dev/actions/install/download-and-verify: 6022a065d6420de5d86333ecfb2b25c57f84b699: # level-2 transitive: called by install/{ampel,bnd} @ v1.1.7 tag: v1.1.7 -carabiner-dev/actions/install/ampel-bootstrap: - 0a075bb75a68646d05f99c85cbbf2be40dd8e442: - # level-3 transitive: called by install/download-and-verify - # (per upstream: "bootstrap rotated to ampel v1.2.1") - tag: v1.1.7 carloscastrojumo/github-cherry-pick-action: 503773289f4a459069c832dc628826685b75b4b3: tag: v1.0.10 From 715572c993f245125b545e59f4951a4e260d05c1 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Tue, 19 May 2026 01:32:51 +0200 Subject: [PATCH 3/3] address review: drop misleading tag from untagged transitives MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per ppkarwasz's review, the level-2 and level-3 SHAs aren't tagged upstream — they're intermediate commits between v1.1.6 and v1.1.7. Remove the misleading `tag: v1.1.7` and move the call-chain comment up to the action-key level so it survives the sort-actions-yml hook (standalone comments under an empty SHA sub-map get dropped on sort, inline-or-key-level comments survive). Generated-by: Claude Opus 4.7 (1M context) --- actions.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/actions.yml b/actions.yml index 53a320c9..dc4ca27c 100644 --- a/actions.yml +++ b/actions.yml @@ -181,18 +181,16 @@ carabiner-dev/actions/install/ampel: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 tag: v1.1.7 carabiner-dev/actions/install/ampel-bootstrap: + # level-3 transitive: called by install/download-and-verify; commit is untagged + # (per upstream: "bootstrap rotated to ampel v1.2.1") 0a075bb75a68646d05f99c85cbbf2be40dd8e442: - # level-3 transitive: called by install/download-and-verify - # (per upstream: "bootstrap rotated to ampel v1.2.1") - tag: v1.1.7 carabiner-dev/actions/install/bnd: 2a11d59a135c5e291f305f249a92ad7903e3ee0f: # transitive dep of carabiner-dev/actions/ampel/verify @ v1.2.0 tag: v1.1.7 carabiner-dev/actions/install/download-and-verify: + # level-2 transitive: called by install/{ampel,bnd} @ v1.1.7; commit is untagged 6022a065d6420de5d86333ecfb2b25c57f84b699: - # level-2 transitive: called by install/{ampel,bnd} @ v1.1.7 - tag: v1.1.7 carloscastrojumo/github-cherry-pick-action: 503773289f4a459069c832dc628826685b75b4b3: tag: v1.0.10