Since you referred Ash's link you probably have not read this: However this is not something to tackle lightly, as Infra *will not manage or secure your VM* - that is up to you.
On Wed, Apr 6, 2022 at 7:21 PM Chesnay Schepler <ches...@apache.org> wrote: > This article also lists self-hosted runners as an option: > > https://cwiki.apache.org/confluence/display/INFRA/GitHub+self-hosted+runners > > On 06/04/2022 11:56, Chesnay Schepler wrote: > > > Did you find some documentation somewhere that we might have said > > otherwise? > > > > We knew that Airflow is using them and thus thought it would be fine. > > We also had a chat with the Airflow folks and IIRC it also wasn't > > mentioned. > > > > There were several tickets where other projects requested token where > > no limitation was mentioned: > > * Arrow; token was provided: > > https://issues.apache.org/jira/browse/INFRA-19875 > > * Beam: https://issues.apache.org/jira/browse/INFRA-22840 > > * Zeppelin: https://issues.apache.org/jira/browse/INFRA-22674 > > And in fact our own latest request for 2 tokens was also granted in > > https://issues.apache.org/jira/browse/INFRA-23086. The alarm bells > > only went off when we requested more tokens. > > > > Then we have https://infra.apache.org/self-hosted-runners.html which > > states /"//Apache permits projects to use self-hosted runners [but > > does not recommend them]./ > > / > > / > > At last, we have > > https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status > > (admittedly not an official INFRA resource, but it is linked in some > > INFRA tickets / discussions), which again lists self-hosted runners as > > an option (while listing /caveats/)./ > > / > > / > > / > > TL;DR://There was plenty of information from which one would conclude > > that self-hosted runners are allowed, and no information to the contrary. > > // > > > > > > On 06/04/2022 11:43, Gavin McDonald wrote: > >> Hi. > >> > >> On Wed, Apr 6, 2022 at 11:31 AM Chesnay Schepler<ches...@apache.org> > >> wrote: > >> > >>> Hello, > >>> > >>> Inhttps://issues.apache.org/jira/browse/INFRA-23086 it was mentioned > >>> that a security audit of self-hosted runners for github actions is > >>> being > >>> conducted at the moment, and that until this is complete no significant > >>> number of self-hosted runners can be set up. > >>> This came as a bit of a surprise to us (the Flink project); we > >>> wanted to > >>> complete our migration to github actions within the next 2-3 weeks, > >>> which is now effectively blocked. > >>> > >> I wanted to ask about this part, why was it a surprise? > >> > >> Self Hosted Github Runners > >> has never been approved for general projects use at the moment. Did you > >> find > >> some documentation somewhere that we might have said otherwise? > >> > >> We are still evaluating a safe and secure way in which we can deploy > >> self > >> hosted runners > >> at the ASF. Currently Airflow are the only approved project, and we are > >> working with Beam > >> to ensure the same level of security if not better. the result of this > >> experiment will determine > >> when we can open up self hosted runners for all projects. > >> > >> 2 to 3 weeks MIGHT be do-able but I'll let you know, still working with > >> Beam currently. > >> > >> > >>> I wanted to ask whether there is some form of ETA on when this audit is > >>> complete. > >>> > >>> Regards, > >>> Chesnay > >>> > >>> > >>> > >>> > > > >
