Website builds are handled by a specific deployment script that doesn't necessarily need to give write access to GitHub Actions or other builds. Unless you're talking about generating a static site and committing it to git and then having it published? Which is also somewhat supported for website builds.
On Wed, 6 Jan 2021 at 09:52, Brennan Ashton <bash...@brennanashton.com> wrote: > > On Wed, Jan 6, 2021, 7:31 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > I prefer constructive approach rather than criticising and complaining, and > > I think we found (together with Ash) even better approach with submodules. > > > > Daniel - I know you will be working on the infra side on that - I think you > > should > > consider making the below submodule approach the "highly recommended" or > > even > > "the only supported" one. It seems to solve all the problems without > > impacting the "action" workflow too much. > > > > I think we have a perfect solution in Airflow that can be applied by > > everyone > > @apache and might become something easily verifiable at scanning > > > > It seems we found a way to add the actions as submodules rather than > > subrepo. > > IMHO it passes all security requirements. It's as easy as incorporating the > > actions > > before the security policy change, you do not have to copy anything, yet > > you keep > > the review "requirement" and "SHA" requirement. You can easily add any > > action > > from any source, but it forces you to review it and pin it to a specific > > SHA version. > > > > Btw this is really not ideal if the action is docker based like the GitHub > SuperLinter. Rebuilding this takes forever if it does not pull the > existing container. > > It's hard enough to keep workflows in sync across multiple repos as it is, > and this year GitHub is planning on releasing features to make that easier > to share common definitions. Submodules for Actions is likely going to add > a whole lot more friction to this process. > > > Also as for banning the git credentials bit in checkout please make sure > you keep in mind the different workflows that people have. Are we not > going to be able to auto push our website? > > --Brennan > > >
