squeak-smalltalk
[ci] do not suspend scheduled bundle job after inactivity of repository
See: https://lists.squeakfoundation.org/archives/list/[email protected]/thread/O5VS7RFCCLTPKF7ACGMSNSNM6HMG62WA/
I like it! Can (and/or should) we vendor the dependency on the reactivation workflow step?
To vendor = fork the actions repository (liskin/gh-workflow-keepalive)? :-) Sure, we could. Not sure how much value that adds, though. We would be cut off from updates (fixes) to the action and after all, we depend on implementation details of the GitHub Actions infrastructure for this optional feature anyway. I'm more on the side of trunk-based development/EAFP/fix it when it breaks. :-)
Best, Christoph
Yes, fork it or include the essential portion of it directly in our CI script. CI actions are, generally speaking, not great from a security perspective, so it'd be nice to just do what we need minimally ourselves rather than pull in privileged code under control of someone else. That said, it's extra work, so I completely understand if it's not something to be done Right Now :-)
Does the "write" permission in this action means that it has also potential access to this repository's secrets can can thus extract the private certificates (*.enc files) without our knowledge?
Does the "write" permission in this action means that it has also potential access to this repository's secrets can can thus extract the private certificates (*.enc files) without our knowledge?
While specifying permissions generally reduces, not increases the abilities of actions, I think it means the action could theoretically commit a change to our CI workflow to read out the secrets if you want to construct an attack vector.
Okay, I have created a fork of the action so we can be absolutely safe. That is, if you trust me, otherwise we need to move the fork from my personal accoutn to the @squeak-smalltalk organization, for which I lack necessary rights. Otherwise, please merge. :-)