Question: Do you think it was a good idea, to restrict it on Sunday right after Xmas literally two minutes after it has been announced on users@, where really builds@ is the list we are mostly discussing stuff related to builds?
I am sure you do realize that this way you force all the project maintainers who use custom actions to literally throw whatever they do and start moving stuff and fix things? Could you please explain this situation? Was it as a response to some security incident that would justify such immediate and disruptive action without an earlier warning? What was the reasoning behind this? Note that this has been discussed before - and the general consensus and we are rigorously following https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions - where we pin 3rd-party actions to specific SHAs rather than to tags or branches. We reviewed all the actions @commits (or even wrote some of those ourselves). J. On Sun, Dec 27, 2020 at 1:42 PM Jarek Potiuk <ja...@potiuk.com> wrote: > Ok. IT works after logging. I will make another comments shortly after > subscribing to the list but I think this was very badly executed. > > J. > > > > On Sun, Dec 27, 2020 at 1:38 PM Jarek Potiuk <ja...@potiuk.com> wrote: > > > the link does not work > > > > On Sun, Dec 27, 2020 at 1:34 PM Roy Lenferink <rlenfer...@apache.org> > > wrote: > > > >> This is related to the thread Daniel just posted on the users@infra > list: > >> > >> > https://lists.apache.org/thread.html/r900f8f9a874006ed8121bdc901a0d1acccbb340882c1f94dad61a5e9%40%3Cusers.infra.apache.org%3E > >> > >> Op zo 27 dec. 2020 om 13:26 schreef Andreas Veithen < > >> andreas.veit...@gmail.com>: > >> > >> > Same for https://github.com/apache/axis-axis2-java-core (with no > >> > configuration changes on our side). > >> > > >> > Andreas > >> > > >> > On Sun, Dec 27, 2020 at 12:25 PM Jarek Potiuk <pot...@apache.org> > >> wrote: > >> > > >> > > Is there a change in the policy of Apache Airflow to only allow > >> > > actions hosted in-organization? Or is it a mistake in configuration? > >> > > > >> > > We've just started @Apache Airflow to experience errors of this kind > >> out > >> > of > >> > > a sudden (literally within the last hour). > >> > > > >> > > potiuk/get-workflow-origin@588cc14f9f1cdf1b8be3db816855e96422204fec > , > >> > > louisbrunner/checks-action@9f02872da71b6f558c6a6f190f925dde5e4d8798 > , > >> > > actions/checkout@v2, actions/checkout@v2, actions/checkout@v2, > >> > > > >> > > >> > tobked/label-when-approved-action@4c5190fec5661e98d83f50bbd4ef9ebb48bd1194 > >> > > , > >> > > louisbrunner/checks-action@9f02872da71b6f558c6a6f190f925dde5e4d8798 > , > >> > > > >> > > >> > tobked/label-when-approved-action@4c5190fec5661e98d83f50bbd4ef9ebb48bd1194 > >> > > , > >> > > > >> > > >> > tobked/label-when-approved-action@4c5190fec5661e98d83f50bbd4ef9ebb48bd1194 > >> > > , > >> > > and > >> louisbrunner/checks-action@9f02872da71b6f558c6a6f190f925dde5e4d8798 > >> > > are > >> > > not allowed to be used in apache/airflow. Actions in this workflow > >> must > >> > be: > >> > > within a repository owned by apache. > >> > > > >> > > > >> > > J, > >> > > > >> > > >> > > > > > > -- > > +48 660 796 129 > > > > > -- > +48 660 796 129 > -- Jarek Potiuk Polidea <https://www.polidea.com/> | Principal Software Engineer M: +48 660 796 129 <+48660796129> [image: Polidea] <https://www.polidea.com/>
