You are viewing a plain text version of this content. The canonical link for it is here.

Posted to builds@apache.org by Tristan Van Berkom <tr...@codethink.co.uk> on 2021/03/09 08:33:01 UTC

Pre-merge CI in apache github repositories

Hi all,

I am new to Apache and still finding my way around how to approach and
discuss issues around here, Gavin McDonald invited me to post to this
list in lieu of having the discussion on the issue I had created here:

    https://issues.apache.org/jira/browse/INFRA-21500

Normally, I would provide more concrete and fully detailed proposals,
but as I haven't found my footing here yet, I will try to simply open a
conversation.

I mean for this to be a two tier conversation, as it makes no sense to
me to solve this issue solely for our project without solving it for
all apache projects unilaterally (or at least all apache projects which
use github).

For our immediate needs, as the subject line indicates (and the issue
also describes), pre-merge CI for the BuildStream project is broken as
of our migration to ASF github.

Pre-merge CI works for privileged few core developers who have direct
access to the repository: https://github.com/apache/buildstream, but
this is by no means sufficient.

If CI does not work for regular external contributors, first time patch
submitters or drive by patch contributors, then I think it is fair to
just say "CI is broken" (justifying why this is important in this post
will only make my post unnecessarily long).

So with that said, I would like to ask the community some questions:

  o What is the correct way of approaching pre-merge CI for ASF github projects ?

    If you have "the answer" to this, please provide it and disregard
    the entire remainder of this email, I will be happy to fall in line,
    maybe I just was not directed to the correct wiki page telling me
    how to do this :)

  o Looking at JIRA 21500 above and other linked issues, this appears
    to be blocked by security concerns.

    If the worst thing that can happen is that our runners are down for
    a couple of days and some ephemeral caches get flushed/lost as a
    result, and that this only ever happens once in a blue moon, then
    maybe we are just being overly precautious here and the solution is
    to simply accept this low impact vulnerability ?

    To quote/paraphrase others: are we allowing perfect to be the enemy
    of good in this instance ?

  o As I understand it, we have one team spread thin handling
    infrastructure, and we have a lot of projects which are using a
    variety of services to achieve the same goals.

    Is there already an initiative in place to unify the services which
    must be used to host an apache project ?

    We already migrated from GitLab to GitHub for the sake of entering
    the ASF, and I think as long as some basic (but modern) criteria is
    met, we would be happy to have these things dictated to us if it
    means that in general we have better ability to maintain our infra.

    I *will* cry inside if you force us to use CVS and JIRA, but I
    think you get my drift here...

  o Alternatively, if we are going to be open about every project doing
    every thing in their own way, then, why not just allow ASF projects
    to use external services like GitHub and GitLab ?

    As mentioned in JIRA 21500 (linked above), CI works fine in GitHub
    as long as we are not in the apache namespace.

    Does it make sense to be spending concrete efforts on the ground
    merely to satisfy a matter of policy ? Maybe the policy needs to
    shift ?


Best Regards,
    -Tristan

Re: Pre-merge CI in apache github repositories

Posted by Tristan Van Berkom <tr...@codethink.co.uk>.

On Tue, 2021-03-09 at 09:53 +0100, Antoine Pitrou wrote:
> Le 09/03/2021 à 09:33, Tristan Van Berkom a écrit :
> > So with that said, I would like to ask the community some questions:
> > 
> >    o What is the correct way of approaching pre-merge CI for ASF github projects ?
> > 
> >      If you have "the answer" to this, please provide it and disregard
> >      the entire remainder of this email, I will be happy to fall in line,
> >      maybe I just was not directed to the correct wiki page telling me
> >      how to do this :)
> 
> Do you mean CI on submitted PRs?
> 
> In my experience (Apache Arrow) it works, so I'm not sure which problems 
> you are encountering.  The only thing that's limited is the Github 
> actions you are allowed to execute (AFAIK there's essentially a 
> "whitelist" of actions allowed by the ASF).
> 
> This is an example PR submitted by a non-committer:
> https://github.com/apache/arrow/pull/9649
> 

I see, yes, if this is the case, then I did not interpret the github
setting correctly, and our pull_request actions are broken for a
different reason...

We are currently only using standard github `actions/checkout@v2` and 
`actions/upload-artifact@v2` actions in pre-merge, and we don't have
any custom "actions" at all in any of our workflows (we only use github
provided actions).

Is there somewhere we can see the list of whitelisted actions ?

Thanks all for replying so promptly !

Cheers,
    -Tristan

Re: Pre-merge CI in apache github repositories

Posted by Hans Van Akelyen <ha...@gmail.com>.

Hi,

I think most projects use Github Actions to run pre-merge checks on
their PR's.
What is currently blocked is using custom actions that are not whitelisted
by the ASF.
The reason is that these actions could unknowingly alter the repository and
inject maleficent code.

For more info you can read the (very long) discussion on the mailing list:
https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E

Cheers,
Hans

On Tue, 9 Mar 2021 at 09:54, Antoine Pitrou <an...@python.org> wrote:

>
> Le 09/03/2021 à 09:33, Tristan Van Berkom a écrit :
> >
> > So with that said, I would like to ask the community some questions:
> >
> >    o What is the correct way of approaching pre-merge CI for ASF github
> projects ?
> >
> >      If you have "the answer" to this, please provide it and disregard
> >      the entire remainder of this email, I will be happy to fall in line,
> >      maybe I just was not directed to the correct wiki page telling me
> >      how to do this :)
>
> Do you mean CI on submitted PRs?
>
> In my experience (Apache Arrow) it works, so I'm not sure which problems
> you are encountering.  The only thing that's limited is the Github
> actions you are allowed to execute (AFAIK there's essentially a
> "whitelist" of actions allowed by the ASF).
>
> This is an example PR submitted by a non-committer:
> https://github.com/apache/arrow/pull/9649
>
> Regards
>
> Antoine.
>

Re: Pre-merge CI in apache github repositories

Posted by Antoine Pitrou <an...@python.org>.

Le 09/03/2021 à 09:33, Tristan Van Berkom a écrit :
> 
> So with that said, I would like to ask the community some questions:
> 
>    o What is the correct way of approaching pre-merge CI for ASF github projects ?
> 
>      If you have "the answer" to this, please provide it and disregard
>      the entire remainder of this email, I will be happy to fall in line,
>      maybe I just was not directed to the correct wiki page telling me
>      how to do this :)

Do you mean CI on submitted PRs?

In my experience (Apache Arrow) it works, so I'm not sure which problems 
you are encountering.  The only thing that's limited is the Github 
actions you are allowed to execute (AFAIK there's essentially a 
"whitelist" of actions allowed by the ASF).

This is an example PR submitted by a non-committer:
https://github.com/apache/arrow/pull/9649

Regards

Antoine.