patterns icon indicating copy to clipboard operation
patterns copied to clipboard
verified publisher icon rust-unofficial

Replace external actions in CI

Open simonsan opened this issue 4 years ago • 5 comments

As preparation for a possible inclusion into rust-lang we should replace the external actions we use with e.g. scripts that do the same.

https://github.com/rust-lang/std-dev-guide/pull/7#issuecomment-770317395

That PR also shows how that could be done: https://github.com/rust-lang/std-dev-guide/pull/7/files

simonsan avatar Mar 01 '21 18:03 simonsan

I think I would do it only immediately before moving the book under rust-lang. Implementing all the actions by ourselves means that we have to maintain them in the meantime. For now we can save that effort.

Furthermore, I am not sure that all the repositories under rust-lang are not using external actions. This is just an example. We need to ask clarifications about this.

So for the moment I would close this issue.

marcoieni avatar Mar 02 '21 21:03 marcoieni

I think it's actually important to not close this. Also in the PR I did I showed how to do it without external actions. We don't need to reimplement actions ourselves. A bit of copy & pasting from the PR and a bit of own work and this should be fine.

simonsan avatar Mar 02 '21 22:03 simonsan

Yeah, the problem with copy pasting is that you have to maintain it. From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

marcoieni avatar Mar 03 '21 20:03 marcoieni

From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

I don't understand that question, could you rephrase it please? I mean a Github action has access to environment variables, if this will make it into rust-lang they sure want to keep track of which actions have access to these and that there are no malicious one's under it. To check/code review each of those actions is also a bit much, no?

simonsan avatar Mar 03 '21 21:03 simonsan

I don't understand that question, could you rephrase it please?

Isn't copy pasting source code the same as using a specific commit?

marcoieni avatar Oct 17 '21 12:10 marcoieni

I think with installing mdbook and other dependencies from scratch via Cargo, the only external GH actions we pull in are either from GH themselves, dprint or the markdown-link-check. With that being said, I think we can close this issue, as we have already toned it down quite well.

simonsan avatar Apr 08 '23 00:04 simonsan