On Thu, Jan 7, 2021 at 6:56 PM Vladimir Sitnikov < sitnikov.vladi...@gmail.com> wrote:
> What I mean is that there's a trivial workaround which does not require > significant changes to the repository layout. On top of that, it does not > change developer's workflows (they do not need to learn submodules) > This is a wrong assumption of yours. Only those who add actions need to learn about submodules. Usually those will be CI-masters. No user/contributor needs to know about them. No user workflow is impacted whatsoever. > > On top of that, git submodules are NOT available for SVN repositories. > We are talking about GitHub Actions. Please correct me if I am wrong, but Github does not have SVN repositories, but surely you know that. > That works for trivial actions only. GitHub diff can't show the diff of 2-3 > megebyte javascript files. > GitHub can't diff Docker images and so on. > Surely. Noone can do it effectively with or without GitHub. I believe you should not be allowed to run action that you are not able to review. If you do, you put your project and ASF ar high risk. Again to repeat. unreviewed action might modify your repository (unlike any other 3rd-party stuff you add). This is the threat we are protecting against. >The sheer fact that you have not done it > in your example > > 1) I am the owner of burrunan/gradle-cache-action, so it is more-or-less > fine that I trust myself. If somebody takes over my GitHub id, then the > issue with action sha is the least harmful thing. > You did not say it when you showed you as an example (that potentially other people might follow). Even if you did, I strongly advise you treat my actions the same way as any other. This is a basic assumption as it might serve as an example for others. All actions in our workflows (including my own) were using commit SHA . Thanks to that everyone who adds a new action will be more likely to follow the same pattern. > 2) Of course the references can be switched to commit ids, however, I am > inclined to avoid combining multiple changes at once. Currently it is > obvious that the tag is the same as before workaround. > Again is the matter of 'thinking' this way. Showing examples to other people with non-best-practice is a bad idea. This is a flawed example, sorry. > > Vladimir > -- +48 660 796 129
