I have very much read that.
On 06/04/2022 19:22, Jarek Potiuk wrote:
Since you referred Ash's link you probably have not read this:
However this is not something to tackle lightly, as Infra *will not manage
or secure your VM* - that is up to you.
On Wed, Apr 6, 2022 at 7:21 PM Chesnay Schepler <ches...@apache.org> wrote:
This article also lists self-hosted runners as an option:
https://cwiki.apache.org/confluence/display/INFRA/GitHub+self-hosted+runners
On 06/04/2022 11:56, Chesnay Schepler wrote:
Did you find some documentation somewhere that we might have said
otherwise?
We knew that Airflow is using them and thus thought it would be fine.
We also had a chat with the Airflow folks and IIRC it also wasn't
mentioned.
There were several tickets where other projects requested token where
no limitation was mentioned:
* Arrow; token was provided:
https://issues.apache.org/jira/browse/INFRA-19875
* Beam: https://issues.apache.org/jira/browse/INFRA-22840
* Zeppelin: https://issues.apache.org/jira/browse/INFRA-22674
And in fact our own latest request for 2 tokens was also granted in
https://issues.apache.org/jira/browse/INFRA-23086. The alarm bells
only went off when we requested more tokens.
Then we have https://infra.apache.org/self-hosted-runners.html which
states /"//Apache permits projects to use self-hosted runners [but
does not recommend them]./
/
/
At last, we have
https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status
(admittedly not an official INFRA resource, but it is linked in some
INFRA tickets / discussions), which again lists self-hosted runners as
an option (while listing /caveats/)./
/
/
/
TL;DR://There was plenty of information from which one would conclude
that self-hosted runners are allowed, and no information to the contrary.
//
On 06/04/2022 11:43, Gavin McDonald wrote:
Hi.
On Wed, Apr 6, 2022 at 11:31 AM Chesnay Schepler<ches...@apache.org>
wrote:
Hello,
Inhttps://issues.apache.org/jira/browse/INFRA-23086 it was mentioned
that a security audit of self-hosted runners for github actions is
being
conducted at the moment, and that until this is complete no significant
number of self-hosted runners can be set up.
This came as a bit of a surprise to us (the Flink project); we
wanted to
complete our migration to github actions within the next 2-3 weeks,
which is now effectively blocked.
I wanted to ask about this part, why was it a surprise?
Self Hosted Github Runners
has never been approved for general projects use at the moment. Did you
find
some documentation somewhere that we might have said otherwise?
We are still evaluating a safe and secure way in which we can deploy
self
hosted runners
at the ASF. Currently Airflow are the only approved project, and we are
working with Beam
to ensure the same level of security if not better. the result of this
experiment will determine
when we can open up self hosted runners for all projects.
2 to 3 weeks MIGHT be do-able but I'll let you know, still working with
Beam currently.
I wanted to ask whether there is some form of ETA on when this audit is
complete.
Regards,
Chesnay
