You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/08/24 23:28:54 UTC

[GitHub] [beam] dannymartinm commented on pull request #22703: [GitHub Actions] Self-hosted runners migration

dannymartinm commented on PR #22703:
URL: https://github.com/apache/beam/pull/22703#issuecomment-1226596137

   
   **Option 3:**  Using `pull_request` with “**Require approval from first time contributors**”
   - Pros
     - Toil is reduced as only first time contributors are going to require manual approval. 
     - Repository security concerns are eliminated as write tokens are not granted to the `pull_request` directive.
   
   - Cons
     - Any person who is not a first time contributor can modify their workflows and the trigger events, then by opening a PR it will be executed without the requirement of approval, the untrusted code will run directly in our self-hosted runners.
   
   
   **Ideal scenario:** A good scenario from our perspective would be to use `pull_request` and be able to lock the workflow to external modifications while still allowing to execute the safe ones from master without external approval.
       * Unfortunately, **we haven’t found a way** with the options provided by GitHub to ensure the integrity of the workflow while still allowing executions from verified master jobs without external approval (Acting as a combination of the integrity feature of `pull_request_target` and repository security of `pull_request`).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@beam.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org