Let's try it: https://github.com/VirtusLab/scala-steward-repos/pull/608
On Mon, Jan 12, 2026 at 11:22 AM PJ Fanning <[email protected]> wrote: > I'm happy to have us try out using the VirtusLab ScalaSteward bot. > We can just raise PRs to add repo names to: > https://github.com/VirtusLab/scala-steward-repos/blob/main/repos-github.md > > On Mon, 12 Jan 2026 at 09:38, Arnout Engelen <[email protected]> wrote: > > > > Hi, > > > > The Pekko projects currently use a setup with a custom GitHub bot and the > > Scala Steward GitHub Action. I'm leaning towards retiring this custom > setup > > in favour of adding our repo's to > > > https://github.com/VirtusLab/scala-steward-repos/blob/main/repos-github.md > > > > I found https://issues.apache.org/jira/browse/INFRA-24961 that says "It > can > > be argued that (..) is this approach more secure" but I'm not sure I > > understand in what way it would be more secure. An advantage of using our > > own bot could be that it'd be easier for us to run tweaked versions of > the > > logic, but I don't see a strong use case for that. > > > > Security-wise, a 3rd party with no write permissions creating public pull > > request seems hard to beat. The scala-steward action now contains > > 'compiled' javascript ( > > https://github.com/apache/infrastructure-actions/pull/444) which seems > more > > tricky. I've brought this up before on Slack and on GitHub comments, but > > wanted to have it here as well before making the change. > > > > > > Kind regards, > > > > -- > > Arnout Engelen > > ASF Security Response > > Apache Pekko PMC member, ASF Member > > NixOS Committer > > Independent Open Source consultant > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
