chore(actions): use gov repo for reused actions #7904
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
avivkeller
force-pushed
the
avivkeller/admin-972/gov-repo
branch
from
d0538ec to
d9bab77
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7904 +/- ##
==========================================
+ Coverage 76.56% 76.60% +0.04%
==========================================
Files 115 115
Lines 9595 9595
Branches 322 321 -1
==========================================
+ Hits 7346 7350 +4
+ Misses 2248 2244 -4
Partials 1 1 ☔ View full report in Codecov by Sentry. |
avivkeller
force-pushed
the
avivkeller/admin-972/gov-repo
branch
from
d9bab77 to
cd4dcef
Compare
github-actions
bot
removed
the
github_actions:pull-request
|
Lighthouse Results
|
There was a problem hiding this comment.
Pull Request Overview
This PR centralizes GitHub Actions and governance docs by removing local copies and reusing workflows and actions from the nodejs/web-team repository.
- Added a link to the external Governance Document in README and removed the local GOVERNANCE.md
- Updated all workflows to use the shared
setup-environmentaction or reuse workflows fromnodejs/web-team - Cleaned up CODEOWNERS and removed the old governance-related workflows and scripts
Reviewed Changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Added [Governance Document] link and reference |
| GOVERNANCE.md | Removed local governance file |
| .github/workflows/translations-sync.yml | Replaced setup steps with shared setup-environment action |
| .github/workflows/scorecard.yml | Replaced inline steps with reusable workflow invocation |
| .github/workflows/publish-packages.yml | Swapped setup steps for shared environment action |
| .github/workflows/playwright.yml | Swapped setup steps for shared environment action |
| .github/workflows/playwright-cloudflare-open-next.yml | Swapped setup steps for shared environment action |
| .github/workflows/notify-on-push.yml | Replaced Slack step with reusable notify-on-push action |
| .github/workflows/lint-and-tests.yml | Swapped setup steps for shared environment action |
| .github/workflows/find-inactive-collaborators.yml | Removed this workflow entirely |
| .github/workflows/dependency-review.yml | Replaced inline dependency review with reusable workflow |
| .github/workflows/codeql.yml | Replaced inline CodeQL setup with reusable workflow |
| .github/workflows/chromatic.yml | Swapped setup steps for shared environment action |
| .github/workflows/build.yml | Swapped setup steps for shared environment action |
| .github/scripts/report-inactive-collaborators.mjs | Removed reporting script |
| .github/CODEOWNERS | Removed GOVERNANCE.md ownership entry |
Comments suppressed due to low confidence (3)
.github/workflows/scorecard.yml:26
- When invoking a reusable workflow, you must include a ref (e.g.,
@main) to pin to a specific version:uses: nodejs/web-team/.github/workflows/scorecard.yml@main.
uses: nodejs/web-team/.github/workflows/scorecard.yml
.github/workflows/dependency-review.yml:18
- Add a ref to the reusable workflow usage (e.g.,
@main) so that the workflow invocation is versioned and stable:uses: nodejs/web-team/.github/workflows/dependency-review.yml@main.
uses: nodejs/web-team/.github/workflows/dependency-review.yml
.github/workflows/codeql.yml:17
- Include a specific ref on the reusable workflow invocation (e.g.,
@main) and verify that the target file supports reusable workflow inputs.
uses: nodejs/web-team/.github/workflows/codeql.yml
There was a problem hiding this comment.
we cannot assume another repo is safe. this is a huge vulnerability
- malicious upstream
- disgruntled contributor
- compromised developer machine
https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
|
Typically, that's the case, but I feel like since we are scoping the permissions almost identically to the ones here, the risk of compromising that repository is identical to the risk of compromising this repository. If an attacker somehow gained permissions on that repo via a leaked access token, for example, they would already have access in this repository. |
points taken, but that doesn't necessarily make me feel much better. the indirection of this repo and setup in the name of simplification and reuse only serves to make our environment harder to understand, and IMO, less secure in the long run. but now i am dredging up past disagreements and should self-moderate. i will lift my block if the majority approves of this approach... @RafaelGSS - I invoked your blog post before - curious if you have any wisdom that could help us here |
|
I'll add the explicit commits. We can always change it the future. |
avivkeller
force-pushed
the
avivkeller/admin-972/gov-repo
branch
from
cd4dcef to
7164365
Compare
github-actions
bot
removed
the
github_actions:pull-request
|
|
Since the TSC hasn't approved this, adding to their agenda for visibility: We just need one approval for this to land, thanks! |
There was a problem hiding this comment.
I just read through the topic and I am not sure in what way things where changed since the beginning. If I am not mistaken, the current state is considered fine by the overall web team? I didn't look into the change closely, and I would handle it as @RafaelGSS.
If you do not have any concerns left, I am fine to approve for the CODEOWNERS file change.
@avivkeller when marking something for the TSC, please add a brief summary of what we should have a look at in particular.
|
@avivkeller have you added a summary for the TSC? Is this still relevant for TSC's agenda? |
|
It's really just for visibility. We just need them to approve this PR, that's all |
|
@ovflowd can you bypass the merge queue (and the TSC approval) |
github-actions
bot
removed
the
github_actions:pull-request
|
@avivkeller apologies, missed this comment. Can you rebase? |
avivkeller
force-pushed
the
avivkeller/admin-972/gov-repo
branch
from
5d5fb48 to
99747d4
Compare
github-actions
bot
removed
the
github_actions:pull-request
|
@avivkeller could you rebase again? 😭 feel free to merge right after. |
avivkeller
force-pushed
the
avivkeller/admin-972/gov-repo
branch
from
99747d4 to
49bcd00
Compare
github-actions
bot
removed
the
github_actions:pull-request
|
@avivkeller there are still conflicts 🥲 |
Signed-off-by: Aviv Keller <[email protected]>
🎉 We now have
nodejs/web-team, which'll contain our re-used actions.This should make our lives a bit easier, as we don't need to update a thousand workflows whenever something changes.