Use of non-approved third-party GitHub Actions

# Use of non-approved third-party GitHub Actions

Some GitHub Actions workflows in outline-cli repository use third-party actions that fall outside our approved tiers:

- [ ] [amannn/action-semantic-pull-request@v5](https://github.com/search?type=code&q=repo%3ADoist%2Foutline-cli+amannn%2Faction-semantic-pull-request%40v5)


According to our [GitHub Actions handbook][handbook], we only allow:

- **Tier 1**: Actions from trusted organizations (GitHub, AWS, Google, etc.)
- **Tier 2**: Audited actions pinned to specific commit SHAs

**Required action:**

Choose one of these options:

1. **Replace** with an approved alternative or custom script
2. **Audit** the action's code and add it to [Tier 2][allowlist] (pinned to full SHA)
3. **Discuss** in [#Doist Dev](https://twist.com/a/1585/ch/1265/) if you believe the author should be added to Tier 1

See the [handbook][] for detailed guidance on each option.

(Relates to https://github.com/Doist/platform-backlog/issues/983)

[handbook]: https://handbook.doist.com/doc/github-actions-TNArIDr8Jb
[allowlist]: https://github.com/Doist/allowed-actions


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use of non-approved third-party GitHub Actions #29

Use of non-approved third-party GitHub Actions

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Use of non-approved third-party GitHub Actions #29

Description

Use of non-approved third-party GitHub Actions

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions