ci: use git submodules for (securely) using third party Github Actions #12709
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
January 23, 2021 11:21
…ions List of repositories added as submodules: EndBug/latest-tag@latest morrisoncole/pr-lint-action@v1.4.1 trilom/file-changes-action@v1.2.4 styfle/cancel-workflow-action@0.6.0 apache-superset/cached-dependencies@b90713b unsplash/comment-on-pr@v1.2.0
TobKed
changed the title
|
I need to add proper |
TobKed
changed the title
Codecov Report
@@ Coverage Diff @@
## master #12709 +/- ##
==========================================
+ Coverage 66.89% 66.90% +0.01%
==========================================
Files 1020 1020
Lines 49905 49905
Branches 4888 4888
==========================================
+ Hits 33384 33390 +6
+ Misses 16396 16390 -6
Partials 125 125
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
potiuk
approved these changes
Jan 23, 2021
There was a problem hiding this comment.
Nice! This is the recommended way which I think all Apache Projects should adopt. It has only benefits and no drawbacks:
- inner working of submodules is such actions are automatically linked via their long hash commit -- recommended security practice
- no change to the current workflow of people (submodules are only needed for CI - you only need submodules if you want to update to newer version of the actions
- GitHub has full support for review for submodules. When action is updated, reviewer will see diff of incoming changes that can be reviewed as usual (also part of security guidelines to review changes to actions rigorously)
- no 3rd-party code in superset repo
There are no drawbacks that I am aware of.
mik-laj
approved these changes
Jan 24, 2021
|
This is great. Thanks for making this change! |
|
We actually used @potiuk 's potius/cancel-workflow-runs for the |
|
FYI. I do recommend to migrate it to submodule as well, however my action was allow-listed by INFRA so you can use it directly ;) |
7 tasks
13 tasks
morningman
pushed a commit
to apache/doris
that referenced
this pull request
Jul 25, 2021
My change is the fix and improvement for github action which labels approved PRs (introduced in this [PR](#6239)). It is inspired by solution introduced and tested in [Apache Airflow](https://github.com/apache/airflow) (thanks @potiuk @ashb 🚀 ) Corresponding Apache Airflow workflows on which I based this PR: - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed.yml - https://github.com/apache/airflow/blob/main/.github/workflows/label_when_reviewed_workflow_run.yml Problems which were solved in this PR: - **Permissions**. @morningman opened a related bug: [[Help] Error: Resource not accessible by integration](TobKed/label-when-approved-action#7). It is related to limited permissions of workflows being triggered by `pull_request_review` (`GITHUB_TOKEN` has read-only permissions). More information about it you can find in the article: [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). TL;DR: On pull request review event (`on: pull_request_review` ) "dummy" workflow `Label when reviewed` triggers another workflow `Label when approved workflow run` which has sufficient permissions (`on: workflow_run: workflows: ["Label when reviewed"]`). - **Safe use of 3rd-party Github Actions by using submodules pattern.** It is decribed in: https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status > NEVER use 3rd-party actions directly in your workflows - use the "submodule" pattern. This pattern is successfully used by projects like: - [Apache Airflow](https://github.com/apache/airflow) ([PR](apache/airflow#13514)) - [Apache Beam](https://github.com/apache/beam) ([PR](apache/beam#13736)) - [Apache Superset](https://github.com/apache/superset) ([PR](apache/superset#12709))
mistercrunch
added
🏷️ bot
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
The idea was to improve GitHub Actions after ASF changed the rules and only allow
actions hosted in-organization.
IMHO using git submodules is more clean way to use external github actions.
I based my opinion this on the discussion:
https://lists.apache.org/x/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65@%3Cbuilds.apache.org%3E
and how it was solved in:
List of repositories added as git submodules with their revisions:
EndBug/latest-tag@latestmorrisoncole/pr-lint-action@v1.4.1trilom/file-changes-action@v1.2.4styfle/cancel-workflow-action@0.6.0apache-superset/cached-dependencies@b90713bunsplash/comment-on-pr@v1.2.0BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TEST PLAN
ADDITIONAL INFORMATION