Fwd: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

[Jarek Potiuk <ja...@potiuk.com>]

BTW. I am going to strongly oppose that (ticket is coming)

---------- Forwarded message ---------
From: Jarek Potiuk <ja...@potiuk.com>
Date: Mon, Feb 13, 2023 at 8:55 PM
Subject: Re: [NOTICE] Upcoming global changes to default GitHub
Actions behavior for outside collaborators
To: <us...@infra.apache.org>
Cc: <an...@infra.apache.org>


I will raise a ticket and explain.

But This would be a huge blow to the Airflow community and almost
immediate burn-out of the active committers if it goes life for
Airflow. And likely many other projects.

I am very strongly convinced it should not be enforced.

J.

On Mon, Feb 13, 2023 at 8:51 PM Daniel Gruno <hu...@apache.org> wrote:
>
> To Project PMCs:
>
> GitHub for Apache projects is currently set to allow a non-committer
> contributor to use GitHub Actions if a previous pull request by that
> person has been approved.
>
> This has raised some security concerns, and could cause issues with
> overall use and availability of GitHub Actions.
>
> The Infrastructure Team proposes to change the default to “always
> require approval for external contributors”. We intend to make this
> change on Sunday the 19th of March, 2023.
>
> This change will apply to all GitHub repositories that do not already
> have a specific GitHub Actions policy set.
>
> Projects that have a strong desire to use the “only need approval first
> time” option should communicate that, explaining their reasons, in a
> Jira ticket for Infra. Please be as specific as you can in which
> repositories you wish to have this option set for, should you choose to.
>
> With regards,
> Daniel, on behalf of the ASF Infrastructure Team.

Re: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

["Ferruzzi, Dennis" <fe...@amazon.com.INVALID>]

Yeah, that sounds like a really bad decision for our workflow.  It makes me wonder how other projects are handling their workflow if this doesn't break them.  I can only see this working for a small team who are all/mostly committers and rarely get outside contributions.


- ferruzzi


________________________________
From: Jarek Potiuk <ja...@potiuk.com>
Sent: Monday, February 13, 2023 11:58 AM
To: dev@airflow.apache.org
Subject: FW: [EXTERNAL][NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



BTW. I am going to strongly oppose that (ticket is coming)

---------- Forwarded message ---------
From: Jarek Potiuk <ja...@potiuk.com>
Date: Mon, Feb 13, 2023 at 8:55 PM
Subject: Re: [NOTICE] Upcoming global changes to default GitHub
Actions behavior for outside collaborators
To: <us...@infra.apache.org>
Cc: <an...@infra.apache.org>


I will raise a ticket and explain.

But This would be a huge blow to the Airflow community and almost
immediate burn-out of the active committers if it goes life for
Airflow. And likely many other projects.

I am very strongly convinced it should not be enforced.

J.

On Mon, Feb 13, 2023 at 8:51 PM Daniel Gruno <hu...@apache.org> wrote:
>
> To Project PMCs:
>
> GitHub for Apache projects is currently set to allow a non-committer
> contributor to use GitHub Actions if a previous pull request by that
> person has been approved.
>
> This has raised some security concerns, and could cause issues with
> overall use and availability of GitHub Actions.
>
> The Infrastructure Team proposes to change the default to “always
> require approval for external contributors”. We intend to make this
> change on Sunday the 19th of March, 2023.
>
> This change will apply to all GitHub repositories that do not already
> have a specific GitHub Actions policy set.
>
> Projects that have a strong desire to use the “only need approval first
> time” option should communicate that, explaining their reasons, in a
> Jira ticket for Infra. Please be as specific as you can in which
> repositories you wish to have this option set for, should you choose to.
>
> With regards,
> Daniel, on behalf of the ASF Infrastructure Team.