And BTW. The change we (Ash) proposed in November is very, very reasonable
one.
It does not require GitHub to change any of the architecture for security,
nor any of the components besides
runner configuration.
I will quote Ash here as I would not be able to put it better. Antoine,
please
take a look and see if it would also be enough for you (generally all
'unsecure' PRs would
still run on GitHub infrastructure, only the 'blessed ones' would run on
our self-hosted one:
This closes #494 at the runner level to give "just enough protection"
to allow using self-hosted runners with public repos.
This PR could do with a bit of a tidy up (some strings should likely become
constants/enums, and a few things should possibly be added as methods on
the GitHubContext class) but I wanted to get a +1 from the approach first.
(Also C# is not my "native" language so there may be some oddities in here)
By default, the current behaviour is unchanged -- all jobs passed to the
runner are executed.
If the .runner config file has this block added to it:
"pullRequestSecurity": {}
Then by only PRs from "CONTRIBUTORS" (as defined by the field in
https://docs.github.com/en/free-pro-team@latest/graphql/reference/objects#pullrequest
-- nothing for us to have to work out ourselves.)
It is also possible to explicitly list users that are allowed to run jobs
on this worker:
"pullRequestSecurity": {
"allowedAuthors": ["ashb"]
}
Or to only allow the given users, but not all contributors:
"pullRequestSecurity": {
"allowContributors": false,
"allowedAuthors": ["ashb"]
}
Owners of the repo are always allowed to run jobs.
On Sat, Jan 9, 2021 at 2:13 PM Antoine Pitrou <anto...@python.org> wrote:
>
> Le 09/01/2021 à 12:01, Jarek Potiuk a écrit :
> >
> > So if only we had 'approved', "secure" and easy way of running our own
> > self-hosted runners + a way from Github to distribute the free resources
> in
> > a fair way among the project. - the problem would be immediately solved.
> > This is really what I am asking for.
>
> This would be really good for Apache Arrow as well. We actually already
> asked the ASF for that, AFAIR (along the lines of "can we can give money
> in exchange of larger CI resources on GHA or Travis-CI"?) but never got
> a satisfying answer.
>
> Regards
>
> Antoine.
>
--
Jarek Potiuk
Polidea <https://www.polidea.com/> | Principal Software Engineer
M: +48 660 796 129 <+48660796129>
[image: Polidea] <https://www.polidea.com/>
