Hi, The Pekko projects currently use a setup with a custom GitHub bot and the Scala Steward GitHub Action. I'm leaning towards retiring this custom setup in favour of adding our repo's to https://github.com/VirtusLab/scala-steward-repos/blob/main/repos-github.md
I found https://issues.apache.org/jira/browse/INFRA-24961 that says "It can be argued that (..) is this approach more secure" but I'm not sure I understand in what way it would be more secure. An advantage of using our own bot could be that it'd be easier for us to run tweaked versions of the logic, but I don't see a strong use case for that. Security-wise, a 3rd party with no write permissions creating public pull request seems hard to beat. The scala-steward action now contains 'compiled' javascript ( https://github.com/apache/infrastructure-actions/pull/444) which seems more tricky. I've brought this up before on Slack and on GitHub comments, but wanted to have it here as well before making the change. Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
