Jarek>Actions are usually rather small https://github.com/burrunan/gradle-cache-action becomes 3 megabytes of JavaScript when compiled. It takes a couple of minutes to build the action itself.
Jarek>but judging from some recent discussions Jarek>this is very clear from legal point of view they only care about the Jarek>releases That contradicts the blocking of the third-party actions. The actions can't perform the release, and they can't impact/augment the release file. If the only thing they care is release, then actions are not a problem at all. http://www.apache.org/legal/resolved.html#stackoverflow Legal/resolved>CAN I COPY CODE FROM STACK OVERFLOW AND CONTRIBUTE IT TO AN ASF PROJECT? Leval/resolved>*No*, not without contacting the original author and getting permission from them to use the code in an Apache project under the Apache License 2.0. That explicitly forbids copy-paste from Stack Overflow. In other words, the ASF repositories must not have doubtful code. Jarek>We discussed it already and GitHub actions have far more access than Jarek>any other dependency because they have potentially uncontrolled access Jarek>to write to your project. The action itself has NO extra access. Developer grants the access by adding GITHUB_TOKEN to the yaml file. Jarek>Nope. They have more. They can have implicit (hidden in action.xml) access Jarek>to write GITHUB_TOKEN which is not controllable by your workflow and is Jarek>granted on Github Actions scheduler level, That is easily verifiable, and everybody can control that from the workflow provided they use SHA for action reference. The verification is way easier than copy-paste-subprepo dance. Jarek>This is far MORE than any of the dependencies and you seem to ignore this Jarek>reality constantly You seem to assume that "almost every action would need GITHUB_TOKEN for a good reason". On the other hand, I assume that GITHUB_TOKEN-based actions must not be used (or they should have extra isolation). There was a case that actions/checkout cached the credentials to a file, and the file can easily be read by a Maven plugin. That is why I say actions have virtually the same power as the build script plugins. Jarek>I do not think (but correct me if I am wrong) that this is the case. Please check ICLA: http://www.apache.org/licenses/icla.pdf ICLA>7. Should You wish to submit work that is not Your original creation, ICLA>You may submit it to the Foundation separately from any Contribution, ICLA>identifying the complete details of its source and of any license or other restriction... ICLA> (including, but not limited to, related patents, trademarks, and license agreements) ICLA>of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]" That means everybody who contributes third-party code to a repository must perform license clearance. You cannot push random stuff to the ASF repository even if you are a PMC. Jarek>if I DELETE the repo, I will immediately impact Jarek>all other projects using them I mean ASF-wide repositories rather than your personal ones. Vladimir
