mik-laj commented on a change in pull request #31104:
URL: https://github.com/apache/spark/pull/31104#discussion_r554445165
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -89,6 +89,14 @@ jobs:
# In order to fetch changed files
with:
fetch-depth: 0
+ - uses: actions/checkout@v2
+ name: checkout n1hility/cancel-previous-runs
+ with:
+ repository: n1hility/cancel-previous-runs
+ path: ./build/.actions/n1hility/cancel-previous-runs
+ ref: 953c92201f368370112ea2754545cb4468d89f12 # v2
+ fetch-depth: 1
+ - uses: ./build/.actions/n1hility/cancel-previous-runs
Review comment:
This token is not needed. ;-) Each action gets a token by default in a
variable named "Token". The action/checkout works the same way. See:
https://github.com/actions/checkout/blob/c952173edf28a2bd22e1a4926590c1ac39630461/src/input-helper.ts#L109
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -89,6 +89,14 @@ jobs:
# In order to fetch changed files
with:
fetch-depth: 0
+ - uses: actions/checkout@v2
+ name: checkout n1hility/cancel-previous-runs
+ with:
+ repository: n1hility/cancel-previous-runs
+ path: ./build/.actions/n1hility/cancel-previous-runs
+ ref: 953c92201f368370112ea2754545cb4468d89f12 # v2
+ fetch-depth: 1
+ - uses: ./build/.actions/n1hility/cancel-previous-runs
Review comment:
This token is not needed. ;-) Each action gets a token by default in a
input named "token". The action/checkout works the same way. See:
https://github.com/actions/checkout/blob/c952173edf28a2bd22e1a4926590c1ac39630461/src/input-helper.ts#L109
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -89,6 +89,14 @@ jobs:
# In order to fetch changed files
with:
fetch-depth: 0
+ - uses: actions/checkout@v2
+ name: checkout n1hility/cancel-previous-runs
+ with:
+ repository: n1hility/cancel-previous-runs
+ path: ./build/.actions/n1hility/cancel-previous-runs
+ ref: 953c92201f368370112ea2754545cb4468d89f12 # v2
+ fetch-depth: 1
+ - uses: ./build/.actions/n1hility/cancel-previous-runs
Review comment:
This value is passed to all actions by default. See for another example:
https://github.com/JamesIves/github-pages-deploy-action/pull/530
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -89,6 +89,14 @@ jobs:
# In order to fetch changed files
with:
fetch-depth: 0
+ - uses: actions/checkout@v2
+ name: checkout n1hility/cancel-previous-runs
+ with:
+ repository: n1hility/cancel-previous-runs
+ path: ./build/.actions/n1hility/cancel-previous-runs
+ ref: 953c92201f368370112ea2754545cb4468d89f12 # v2
+ fetch-depth: 1
+ - uses: ./build/.actions/n1hility/cancel-previous-runs
Review comment:
I agree. I checked carefully and it looks like this action must be run
as workflow_run.
> If you use forks, you should create a separate "Cancelling" workflow_run
triggered workflow. The workflow_run should be responsible for all canceling
actions. The examples below show the possible ways the action can be utilized.
https://github.com/potiuk/cancel-workflow-runs#usage
I am rewriting my PR now to use workflow_run. I will also ask @potiuk for a
review when I'm finished.
##########
File path: .github/workflows/build_and_test.yml
##########
@@ -89,6 +89,14 @@ jobs:
# In order to fetch changed files
with:
fetch-depth: 0
+ - uses: actions/checkout@v2
+ name: checkout n1hility/cancel-previous-runs
+ with:
+ repository: n1hility/cancel-previous-runs
+ path: ./build/.actions/n1hility/cancel-previous-runs
+ ref: 953c92201f368370112ea2754545cb4468d89f12 # v2
+ fetch-depth: 1
+ - uses: ./build/.actions/n1hility/cancel-previous-runs
Review comment:
I pushed a new change.s I passed token and used workflow_run event.
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
Apache's policy is to prohibit running code that is not reviewed, and
this can happen if you use tags rather than exact hash references.
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
Apache INFRA has no possibility of limiting the use of fluent
references(v2, master, etc) and the rules for using actions are just being
established. The new policy was only introduced a week or two ago due to one
security incident, and now the INFRA team is watching how users use custom
actions and what actions they use. We may try to add these actions to the
whitelist, but there is little chance of that yet. For now, INFRA is a bit
heavy with discussions about other Github Action limitations. See:
https://lists.apache.org/thread.html/r5303eec41cc1dfc51c15dbe44770e37369330f9644ef09813f649120%40%3Cbuilds.apache.org%3E
This change is intended to help us fix/mitigate this issue.
In the case of Apache Airflow, we decided to fork this action to apache/
(See: https://github.com/apache/airflow-cancel-workflow-runs), but now we
consider migrations to use submodules (See:
https://github.com/apache/airflow/issues/13513).
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
Apache INFRA has no possibility of limiting the use of fluent
references(v2, master, etc) and the rules for using actions are just being
established. The new policy was only introduced a week or two ago due to one
security incident, and now the INFRA team is watching how users use custom
actions and what actions they use. We may try to add these actions to the
whitelist, but there is little chance of that yet. For now, INFRA is a bit
heavy with discussions about other Github Action limitations. See:
https://lists.apache.org/thread.html/r5303eec41cc1dfc51c15dbe44770e37369330f9644ef09813f649120%40%3Cbuilds.apache.org%3E
This change is intended to help us fix/mitigate this issue.
In the case of Apache Airflow, we decided to fork this action to apache/
(See: https://github.com/apache/airflow-cancel-workflow-runs), but now we
consider migrations to use submodules (See:
https://github.com/apache/airflow/issues/13513).
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
I think you can merge these changes as a temporary workaround and see
how the Apache policy updates change. I think you can merge these changes as a
temporary workaround and try to contact INFRA about clarifying these rules.
Especially since it does not cause the security reasons that led to the
introduction of the new INFRA policy.
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
It looks like this action has been whitelisted.
https://issues.apache.org/jira/browse/INFRA-21287
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,25 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ name: checkout potiuk/cancel-workflow-runs
+ with:
+ repository: potiuk/cancel-workflow-runs
+ path: ./build/.actions/potiuk/cancel-workflow-runs
+ ref: 953e057dc81d3458935a18d1184c386b0f6b5738 # @master
+ fetch-depth: 1
+ - uses: ./build/.actions/potiuk/cancel-workflow-runs
Review comment:
It looks like this action has been whitelisted. I will update this PR.
https://issues.apache.org/jira/browse/INFRA-21287
##########
File path: .github/workflows/build_and_test_workflow_run.yml
##########
@@ -0,0 +1,18 @@
+name: Cancelling Duplicates
+on:
+ workflow_run:
+ workflows:
+ - 'Build and test'
+ types: ['requested']
+
+jobs:
+ cancel-duplicate-workflow-runs:
+ name: "Cancel duplicate workflow runs"
+ runs-on: ubuntu-latest
+ steps:
+ - uses:
potiuk/cancel-workflow-runs@953e057dc81d3458935a18d1184c386b0f6b5738
Review comment:
@potiuk recommends using commit hashes to your actions. See:
https://github.com/apache/airflow/pull/13327/files
This way it is even in case of an attack on his Github account, the Apache
infrastructure will be safe.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
