You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by Vladimir Sitnikov <si...@gmail.com> on 2023/06/07 17:43:04 UTC
Review the ASF GitHub Actions policy
Currenlty, every pull request from external contributor requires manual
approval,
which, I believe, adds unnecessary barriers for the contributors.
Infra can remove that requirement, however, they ask us to review and
"affirm abiding by the requirements".
Here's the document: https://infra.apache.org/github-actions-policy.html
Would you please (especially committers and PMC members) review the policy
and affirm abiding by the requirements?
Here's my vote:
+1 I've reviewed the policy and I affirm abiding by the requirements
Vladimir
Re: Review the ASF GitHub Actions policy
Posted by Antonio Gomes Rodrigues <ra...@gmail.com>.
Here's my vote:
+1 I've reviewed the policy and I affirm abiding by the requirements
Le lun. 7 août 2023 à 08:29, Daniel Gruno <hu...@apache.org> a écrit :
> Any chance for a third +1 here? :)
>
> On 2023/07/07 16:28:41 Vladimir Sitnikov wrote:
> > >I will watch for abuse.
> >
> > Thank you for the response.
> >
> > Technically speaking, first-time contributors would need manual approval
> > for executing CI anyway,
> > so we don't need to constantly monitor pull requests for cryptominers and
> > things like that.
> >
> > Just wondering: are the others silent because they are busy or are they
> > silent because
> > they are not sure of the consequences?
> >
> > I would like to mention that the policy summarizes the most important
> best
> > practices for
> > using GitHub Actions in a secure manner, and we should follow it no
> matter
> > what.
> >
> > For example, we need to be careful when modifying CI configuration (e.g.
> > .github/.../*.yml files)
> > since merging some changes (e.g. pull_request_target option) might expose
> > secrets.
> >
> > Vladimir
> >
>
Re: Review the ASF GitHub Actions policy
Posted by Daniel Gruno <hu...@apache.org>.
Any chance for a third +1 here? :)
On 2023/07/07 16:28:41 Vladimir Sitnikov wrote:
> >I will watch for abuse.
>
> Thank you for the response.
>
> Technically speaking, first-time contributors would need manual approval
> for executing CI anyway,
> so we don't need to constantly monitor pull requests for cryptominers and
> things like that.
>
> Just wondering: are the others silent because they are busy or are they
> silent because
> they are not sure of the consequences?
>
> I would like to mention that the policy summarizes the most important best
> practices for
> using GitHub Actions in a secure manner, and we should follow it no matter
> what.
>
> For example, we need to be careful when modifying CI configuration (e.g.
> .github/.../*.yml files)
> since merging some changes (e.g. pull_request_target option) might expose
> secrets.
>
> Vladimir
>
Re: Review the ASF GitHub Actions policy
Posted by Vladimir Sitnikov <si...@gmail.com>.
>I will watch for abuse.
Thank you for the response.
Technically speaking, first-time contributors would need manual approval
for executing CI anyway,
so we don't need to constantly monitor pull requests for cryptominers and
things like that.
Just wondering: are the others silent because they are busy or are they
silent because
they are not sure of the consequences?
I would like to mention that the policy summarizes the most important best
practices for
using GitHub Actions in a secure manner, and we should follow it no matter
what.
For example, we need to be careful when modifying CI configuration (e.g.
.github/.../*.yml files)
since merging some changes (e.g. pull_request_target option) might expose
secrets.
Vladimir
Re: Review the ASF GitHub Actions policy
Posted by Milamber <mi...@apache.org>.
Hi Vladimir,
Sorry for delay, my vote :
+1 I've reviewed the policy and I affirm abiding by the requirements
I will watch for abuse.
Milamber
On 07/06/2023 18:43, Vladimir Sitnikov wrote:
> Currenlty, every pull request from external contributor requires manual
> approval,
> which, I believe, adds unnecessary barriers for the contributors.
>
> Infra can remove that requirement, however, they ask us to review and
> "affirm abiding by the requirements".
>
> Here's the document: https://infra.apache.org/github-actions-policy.html
>
> Would you please (especially committers and PMC members) review the policy
> and affirm abiding by the requirements?
>
> Here's my vote:
> +1 I've reviewed the policy and I affirm abiding by the requirements
>
> Vladimir
>