Hello, I share Jarek and Dennis' concerns.
It would be very hard to maintain enough responsiveness to not discourage external contributions while still trying to actually check the changes before approving a workflow. We have hundreds of workflows a day (~150 - 200 in the last 24hours, it would be interesting to have an average number here). Even without internal contributions that would still leave a substantial amount to check, we divide that by the number of active committers and this is... terrifying. I really hope that we can find another way to prevent GHA abuse. Best Regards, Pierre Le lun. 13 févr. 2023 à 21:59, Jarek Potiuk <ja...@potiuk.com> a écrit : > For others who might also share the same concerns, my ticket where I > explain what effects it will have on our project, and in comment I > also respond to Greg's worries about stealing individual accounts. > > https://issues.apache.org/jira/browse/INFRA-24200 > > Maybe for other projects it is not as important as it is for Airflow, > maybe the amount of traffic and outside contributors is not that bad - > and for those projects I think the policy might make sense. > But I strongly believe that for many projects that have a lot of > outside contributors it will have a similar effect as I believe it > will have for Airflow (and the goal of increased security will not be > achieved). > > And I do not want to argue, Greg, nor shout at anyone (so just > anticipating, I would really appreciate not shouting at me for raising > a yellow flag). > > I am not saying that it is all "wrong" and making a revolution. I just > think that you should reconsider the policy of disabling it for > everyone and then "justifying" why you need an exception rather than > just (how it was so far) choosing appropriate policy via .asf.yml. > > I believe the reasons everyone will mention in their tickets will be > similar to ours and maybe, just maybe, simply leaving it up to a > project to control the policy (with default "require approval") is > much better than top-bottom forcing it and expecting some kind of > justification. > > Quoting a person from my project: > > 'Yeah, that sounds like a really bad decision for our workflow. It > makes me wonder how other projects are handling their workflow if this > doesn't break them. I can only see this working for a small team who > are all/mostly committers and rarely get outside contributions.` > > > J. > > > On Mon, Feb 13, 2023 at 9:26 PM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > Surely. I will. > > > > On Mon, Feb 13, 2023 at 9:01 PM Greg Stein <gst...@gmail.com> wrote: > > > > > > 1. JohnDoe submits a PR, and somebody on the PMC flips the bit to > allow GHA to run now and in the future. > > > 2. BlackHat steals JohnDoe's credentials > > > 3. BlackHat submits a PR to mine crypto. GHA starts running before any > human can stop it. > > > > > > Explain how to correct that in your ticket. > > > > > > Cheers, > > > -g > > > > > > > > > On Mon, Feb 13, 2023 at 1:56 PM Jarek Potiuk <ja...@potiuk.com> wrote: > > >> > > >> I will raise a ticket and explain. > > >> > > >> But This would be a huge blow to the Airflow community and almost > > >> immediate burn-out of the active committers if it goes life for > > >> Airflow. And likely many other projects. > > >> > > >> I am very strongly convinced it should not be enforced. > > >> > > >> J. > > >> > > >> On Mon, Feb 13, 2023 at 8:51 PM Daniel Gruno <humbed...@apache.org> > wrote: > > >> > > > >> > To Project PMCs: > > >> > > > >> > GitHub for Apache projects is currently set to allow a non-committer > > >> > contributor to use GitHub Actions if a previous pull request by that > > >> > person has been approved. > > >> > > > >> > This has raised some security concerns, and could cause issues with > > >> > overall use and availability of GitHub Actions. > > >> > > > >> > The Infrastructure Team proposes to change the default to “always > > >> > require approval for external contributors”. We intend to make this > > >> > change on Sunday the 19th of March, 2023. > > >> > > > >> > This change will apply to all GitHub repositories that do not > already > > >> > have a specific GitHub Actions policy set. > > >> > > > >> > Projects that have a strong desire to use the “only need approval > first > > >> > time” option should communicate that, explaining their reasons, in a > > >> > Jira ticket for Infra. Please be as specific as you can in which > > >> > repositories you wish to have this option set for, should you > choose to. > > >> > > > >> > With regards, > > >> > Daniel, on behalf of the ASF Infrastructure Team. >
