> > > > Btw this is really not ideal if the action is docker based like the GitHub > SuperLinter. Rebuilding this takes forever if it does not pull the > existing container. >
I belive super linter is an official GitHub one. All official actions that are GitHub owned are 'business as usual'. And I think you do not need to rebuild the images once, possibly copy it to your repo and refer from there. We are doing exactly this in airflow: 1) We have very simple scripts to rebuild the images that we use in our CI: https://github.com/apache/airflow/tree/master/scripts/ci/dockerfiles 2) We push them to our apache/airflow dockerhub. For example we built and pushed the image for apache RAT tool that we use to run kerberos tests: https://hub.docker.com/layers/apache/airflow/krb5-kdc-server-2020.08.28/images/sha256-a9cc78013a0073551421cc3dc8751daf8fa26ebf4e3b5de27c2f931cea26f447?context=explore 3) We refer to those images in our CI jobs: https://github.com/apache/airflow/blob/master/scripts/ci/docker-compose/integration-kerberos.yml We use images built once and they get updated maybe twice a year. And we have scripts to rebuild and push them semi automatically, but we keep control over them this way (with very, very little effort). > It's hard enough to keep workflows in sync across multiple repos as it is, > and this year GitHub is planning on releasing features to make that easier > to share common definitions. Submodules for Actions is likely going to add > a whole lot more friction to this process. > This is very little effort and no maintenance at all. It's just a little bit more effort than to add action "as usual": Just to show exactly what we are talking about: What we propose: .gitmodules [submodule ".github/actions/get-workflow-origin"] path = .github/actions/get-workflow-origin url = https://github.com/potiuk/get-workflow-origin In your YAML: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 with: with: persist-credentials: false submodules: recursive - name: "Get information about the PR" uses: ./.github/actions/get-workflow-origin id: source-run-info with: token: ${{ secrets.GITHUB_TOKEN }} What was there originally - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 with: with: persist-credentials: false - name: "Get information about the PR" uses: potiuk/get-workflow-origin@588cc14f9f1cdf1b8be3db816855e96422204fec # v1_3 id: source-run-info with: token: ${{ secrets.GITHUB_TOKEN }} This is very little change, but it is WAY more secure, because not only it forces to review whenever it changes, but it automatically stores the SHA of the repo in the commit, without even thnking about it. I do not think there is much of a maintenance difference. If anything it is simpler with submodule because the only thing you need to do is git submodule update --remote potiuk/get-workflow-origin Then in the PR you review the code (which you MUST do anyway). That's it. > > Also as for banning the git credentials bit in checkout please make sure > you keep in mind the different workflows that people have. Are we not > going to be able to auto push our website? > Absolutely not. This is precisely where we use the action (of my friend BTW) https://github.com/ad-m/github-push-action It requires GITHUB_TOKEN to be passed and once you add it via submodule you can review it and use it to push your changes to your or another repo. > > --Brennan > > > > -- +48 660 796 129
