GraphIO.jl
GraphIO.jl copied to clipboard
Switch to GitHub Actions CI
Switches from Travis to GitHub Actions CI and updates ParserCombinator.jl depenency ~~(requires andrewcooke/ParserCombinator.jl#33 to be merged and the new 2.1.0 version released)~~.
Hi. We don’t use TagBot on any JuliaGraphs projects since it requires write access to the repo.
We don’t use TagBot on any JuliaGraphs projects since it requires write access to the repo.
Sure, I can remove it, but is it a problem to allow write access?
The tests are failing because andrewcooke/ParserCombinator.jl#33 is still not merged (it looks like the package development is hibernated). I'm not sure what to do about that.
Sure, I can remove it, but is it a problem to allow write access?
From my perspective it's a huge problem. It means that if TagBot gets compromised, all repos that depend on TagBot are vulnerable to code manipulation. I don't want JuliaGraphs to be part of that exposure.
It's easy enough to tag manually. TagBot saves you two steps and introduces unknown risk.
It means that if TagBot gets compromised, all repos that depend on TagBot are vulnerable to code manipulation.
Ah, actually TagBot app and TagBot GitHub action are the two different things. The former one is deprecated, the latter one doesn't require generating an access token that could be compromised and used for something else. And, to be super-safe, you can also clone JuliaRegistries/TagBot and configure the action to use your clone. Of course, everything could be done manually, but keeping the version in git tags and in Project.toml in sync + autogenerating changelog draft is a nice thing.
Both require you to trust code that is running from someone else's repository to not do anything with the write access you're giving it to your repository. That's a bit of a problem.
(and yes, we could set things up so we keep a clone and use that on our repos, but then someone has to be in charge of updating and auditing, and this is all to save a few steps when we release a new version.)
but then someone has to be in charge of updating and auditing
Well, TagBot is in JuliaRegistries, so it's a part of Julia ecosystem. As long as no 3rd party got unauthorized access to TagBot repo, I'd rather trust the authors.
So it boils down to fast-forwarding the fork and updating the @tag
(or SHA-1 @commithash
, to be more secure -- then you probably don't need to fork) line when the TagBot authors announce it's necessary to upgrade.
Otherwise I wonder whether the new releases of Julia itself should be audited as well.
As long as no 3rd party got unauthorized access to TagBot repo, I'd rather trust the authors.
This isn't about not trusting the authors.
Otherwise I wonder whether the new releases of Julia itself should be audited as well.
They are, at least in some environments.
Finally, ParserCombinator v2.1.0 is released, which unblocks merging this PR and releasing the new GraphIO version. I tried to initiate CI by opening and closing, but it seems that has to be enabled by the repository maintainers (cc @sbromberger).
I think we can close this