Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove third-party actions (where possible) #17378

Closed
1 task done
MikeMcQuaid opened this issue May 28, 2024 · 9 comments
Closed
1 task done

Remove third-party actions (where possible) #17378

MikeMcQuaid opened this issue May 28, 2024 · 9 comments
Labels
features New features help wanted We want help addressing this

Comments

@MikeMcQuaid
Copy link
Member

Verification

Provide a detailed description of the proposed feature

We should avoid third-party, unofficial GitHub Actions where possible, particularly those that do simple things like gh can do in a one-liner (e.g. opening a pull request)

What is the motivation for the feature?

Improving the security profile of Homebrew

How will the feature be relevant to at least 90% of Homebrew users?

It won't be.

What alternatives to the feature have been considered?

  • Doing nothing
  • Creating more of our own actions
  • Doing a security audit of our actions

CC @Homebrew/security folks for thoughts here too.
@MikeMcQuaid MikeMcQuaid added help wanted We want help addressing this features New features labels May 28, 2024
@woodruffw
Copy link
Member

Strong +1 from me! Removing external dependencies in favor of gh invocations will improve our CI/CD's security profile (and will decrease the number of hops needed when a workflow regresses or breaks).

@Bo98
Copy link
Member

Bo98 commented May 28, 2024

Octokit.js is better for testing over gh, but am ok with gh to unblock anything.

What actions do you have in mind? We could make a ruby/setup-ruby that uses Portable Ruby. Anything else?

@MikeMcQuaid
Copy link
Member Author

What actions do you have in mind?

Mainly the ones that simple and/or are attached to a single user rather than a reputable organisation e.g. github/actions/ruby/etc.

Looking at the list of approved ones the ones that probably should be investigated for replacing are:

  • dessant/lock-threads@*
  • peter-evans/*
  • reitermarkus/*

and removing:

  • Vampire/setup-wsl@*,

@Bo98
Copy link
Member

Bo98 commented May 29, 2024
edited
Loading

Octokit.js is better for testing over gh

Ah misread this for writing new actions. In that case yeah if we're just replacing workflow steps then for most of the above gh makes sense!

@carlocab carlocab mentioned this issue May 29, 2024
Merged
9 tasks
@issyl0
Copy link
Member

issyl0 commented Jun 1, 2024

removing: Vampire/setup-wsl@*

This is used in the Homebrew/install for testing the install on a Windows runner. Do we not need that anymore? Or can we hack something together ourselves.

@Bo98
Copy link
Member

Bo98 commented Jun 1, 2024

We might be able to do something that uses WSL2 (GitHub runners use WSL1 by default, which we technically have dropped support for) now that nested virtualisation is now supported on Windows runners.

@MikeMcQuaid
Copy link
Member Author

Do we not need that anymore? Or can we hack something together ourselves.

Not enough to warrant the security implications.

Either hack it ourselves or, more likely, just not bother testing WSL.

@Bo98
Copy link
Member

Bo98 commented Jun 3, 2024

I've handled WSL given I've had plenty experience using it and running the various commands: Homebrew/install#859

@MikeMcQuaid
Copy link
Member Author

I'd say this is pretty much done now, thanks all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
features New features help wanted We want help addressing this
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MikeMcQuaid @issyl0 @Bo98 @woodruffw