Fwd: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

[Andrew Musselman <an...@gmail.com>]

FYI, no need from my point of view to keep the more permissive setting, but
if anyone disagrees please speak up

---------- Forwarded message ---------
From: Daniel Gruno <hu...@apache.org>
Date: Mon, Feb 13, 2023 at 11:50 AM
Subject: [NOTICE] Upcoming global changes to default GitHub Actions
behavior for outside collaborators
To: <an...@infra.apache.org>


To Project PMCs:

GitHub for Apache projects is currently set to allow a non-committer
contributor to use GitHub Actions if a previous pull request by that
person has been approved.

This has raised some security concerns, and could cause issues with
overall use and availability of GitHub Actions.

The Infrastructure Team proposes to change the default to “always
require approval for external contributors”. We intend to make this
change on Sunday the 19th of March, 2023.

This change will apply to all GitHub repositories that do not already
have a specific GitHub Actions policy set.

Projects that have a strong desire to use the “only need approval first
time” option should communicate that, explaining their reasons, in a
Jira ticket for Infra. Please be as specific as you can in which
repositories you wish to have this option set for, should you choose to.

With regards,
Daniel, on behalf of the ASF Infrastructure Team.