On Wed, Jan 6, 2021, 7:31 AM Jarek Potiuk <ja...@potiuk.com> wrote: > I prefer constructive approach rather than criticising and complaining, and > I think we found (together with Ash) even better approach with submodules. > > Daniel - I know you will be working on the infra side on that - I think you > should > consider making the below submodule approach the "highly recommended" or > even > "the only supported" one. It seems to solve all the problems without > impacting the "action" workflow too much. > > I think we have a perfect solution in Airflow that can be applied by > everyone > @apache and might become something easily verifiable at scanning > > It seems we found a way to add the actions as submodules rather than > subrepo. > IMHO it passes all security requirements. It's as easy as incorporating the > actions > before the security policy change, you do not have to copy anything, yet > you keep > the review "requirement" and "SHA" requirement. You can easily add any > action > from any source, but it forces you to review it and pin it to a specific > SHA version. >
Btw this is really not ideal if the action is docker based like the GitHub SuperLinter. Rebuilding this takes forever if it does not pull the existing container. It's hard enough to keep workflows in sync across multiple repos as it is, and this year GitHub is planning on releasing features to make that easier to share common definitions. Submodules for Actions is likely going to add a whole lot more friction to this process. Also as for banning the git credentials bit in checkout please make sure you keep in mind the different workflows that people have. Are we not going to be able to auto push our website? --Brennan >
