potiuk commented on pull request #13674: URL: https://github.com/apache/beam/pull/13674#issuecomment-755421087
Just one more update! We found a better solution. Submodules. They seem to pass all the security requirements from infra, and they are very easy to add and maintain (and you avoid code duplication). You can see the PR we run to have POC in Airflow: https://github.com/apache/airflow/pull/13514 And disucssion at [email protected] https://lists.apache.org/thread.html/rcf7f560dad70ed02d77ad131a670e24eb815e41f92a442a3153da98b%40%3Cbuilds.apache.org%3E Jus to quote my words from the discussion: This seems to works perfectly: > 1) It always links to particular SHA commit not branch > 2) No code duplication > 3) GitHub Review nicely incorporates the change code from submodules > whenever > submodule is updated, so it fits naturally in the review workflow. > 4) Seems that we can easily make it works with Github Actions (the > submodule needst > to be checked out in previous step of the job). > 5) It's even easier to pull new versions. > 6) It is equally easy to add any external action at any time > 7) Passes all the INFRA requirements re: review + SHA - without any checks We are going to migrate to it in Airflow today/tomorrow and we highly recommend this approach. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
