opendal icon indicating copy to clipboard operation
opendal copied to clipboard
verified publisher icon apache

CI: Cleanup actions that Apache org not approved

Open Xuanwo opened this issue 2 years ago • 4 comments

https://infra.apache.org/github-actions-secrets.html

We only allow Actions that are official "Made by GitHub" or local to the Apache org on GitHub, to address a potential security vulnerability. This is an incident-related policy change. We are researching the situation, and the policy may evolve based on what we learn.

https://infra.apache.org/github-actions-policy.html

You MAY use all actions internal to the apache/, github/ and actions/* namespaces without restrictions. You MUST pin all external actions to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you MUST pin foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878.

Xuanwo avatar Mar 02 '23 16:03 Xuanwo

cc @tisonkun, do we have a full list of reviewed github actions?

Xuanwo avatar Mar 02 '23 16:03 Xuanwo

All external (except github/*, actions/*, apache/*) github actions we used includes:

  • benchmark-action/github-action-benchmark
  • PyO3/maturin-action
  • beyondstorage/setup-hdfs
  • Swatinem/rust-cache
  • korandoru/hawkeye
  • taiki-e/install-action
  • amondnet/vercel-action
  • ibnesayeed/setup-ipfs
  • baptiste0928/cargo-install

Xuanwo avatar Mar 03 '23 06:03 Xuanwo

A possible solution is use git submodule to pin these GHA into local repo

jackwener avatar Mar 09 '23 12:03 jackwener

Tracked at https://issues.apache.org/jira/projects/INFRA/issues/INFRA-24346?filter=allissues

Xuanwo avatar Mar 15 '23 16:03 Xuanwo

Thanks for the help from the ASF Infra, this issue is resovled now.

Xuanwo avatar Mar 18 '23 12:03 Xuanwo