I agree this is completely untenable, at least for Airflow. I commented on the Jira ticket as well with more thoughts.
Cheers, Niko ________________________________ From: Jarek Potiuk <[email protected]> Sent: Monday, February 13, 2023 4:08:23 PM To: [email protected] Subject: RE: [EXTERNAL][NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Would be great to comment on the JiRA ticket. I think there is somewhat misunderstanding of the problem on the side of INFRA and i think we need to convince them they have not assessed the consequences properly wt., 14 lut 2023, 01:02 użytkownik Pierre Jeambrun <[email protected]<mailto:[email protected]>> napisał: Hello, I share Jarek and Dennis' concerns. It would be very hard to maintain enough responsiveness to not discourage external contributions while still trying to actually check the changes before approving a workflow. We have hundreds of workflows a day (~150 - 200 in the last 24hours, it would be interesting to have an average number here). Even without internal contributions that would still leave a substantial amount to check, we divide that by the number of active committers and this is... terrifying. I really hope that we can find another way to prevent GHA abuse. Best Regards, Pierre Le lun. 13 févr. 2023 à 21:59, Jarek Potiuk <[email protected]<mailto:[email protected]>> a écrit : For others who might also share the same concerns, my ticket where I explain what effects it will have on our project, and in comment I also respond to Greg's worries about stealing individual accounts. https://issues.apache.org/jira/browse/INFRA-24200 Maybe for other projects it is not as important as it is for Airflow, maybe the amount of traffic and outside contributors is not that bad - and for those projects I think the policy might make sense. But I strongly believe that for many projects that have a lot of outside contributors it will have a similar effect as I believe it will have for Airflow (and the goal of increased security will not be achieved). And I do not want to argue, Greg, nor shout at anyone (so just anticipating, I would really appreciate not shouting at me for raising a yellow flag). I am not saying that it is all "wrong" and making a revolution. I just think that you should reconsider the policy of disabling it for everyone and then "justifying" why you need an exception rather than just (how it was so far) choosing appropriate policy via .asf.yml. I believe the reasons everyone will mention in their tickets will be similar to ours and maybe, just maybe, simply leaving it up to a project to control the policy (with default "require approval") is much better than top-bottom forcing it and expecting some kind of justification. Quoting a person from my project: 'Yeah, that sounds like a really bad decision for our workflow. It makes me wonder how other projects are handling their workflow if this doesn't break them. I can only see this working for a small team who are all/mostly committers and rarely get outside contributions.` J. On Mon, Feb 13, 2023 at 9:26 PM Jarek Potiuk <[email protected]<mailto:[email protected]>> wrote: > > Surely. I will. > > On Mon, Feb 13, 2023 at 9:01 PM Greg Stein > <[email protected]<mailto:[email protected]>> wrote: > > > > 1. JohnDoe submits a PR, and somebody on the PMC flips the bit to allow GHA > > to run now and in the future. > > 2. BlackHat steals JohnDoe's credentials > > 3. BlackHat submits a PR to mine crypto. GHA starts running before any > > human can stop it. > > > > Explain how to correct that in your ticket. > > > > Cheers, > > -g > > > > > > On Mon, Feb 13, 2023 at 1:56 PM Jarek Potiuk > > <[email protected]<mailto:[email protected]>> wrote: > >> > >> I will raise a ticket and explain. > >> > >> But This would be a huge blow to the Airflow community and almost > >> immediate burn-out of the active committers if it goes life for > >> Airflow. And likely many other projects. > >> > >> I am very strongly convinced it should not be enforced. > >> > >> J. > >> > >> On Mon, Feb 13, 2023 at 8:51 PM Daniel Gruno > >> <[email protected]<mailto:[email protected]>> wrote: > >> > > >> > To Project PMCs: > >> > > >> > GitHub for Apache projects is currently set to allow a non-committer > >> > contributor to use GitHub Actions if a previous pull request by that > >> > person has been approved. > >> > > >> > This has raised some security concerns, and could cause issues with > >> > overall use and availability of GitHub Actions. > >> > > >> > The Infrastructure Team proposes to change the default to “always > >> > require approval for external contributors”. We intend to make this > >> > change on Sunday the 19th of March, 2023. > >> > > >> > This change will apply to all GitHub repositories that do not already > >> > have a specific GitHub Actions policy set. > >> > > >> > Projects that have a strong desire to use the “only need approval first > >> > time” option should communicate that, explaining their reasons, in a > >> > Jira ticket for Infra. Please be as specific as you can in which > >> > repositories you wish to have this option set for, should you choose to. > >> > > >> > With regards, > >> > Daniel, on behalf of the ASF Infrastructure Team.
