ajfabbri commented on PR #8412:
URL: https://github.com/apache/hadoop/pull/8412#issuecomment-4247803369
So for building the container image, this is just a convenience to get a
stable toolchain for doing the maven build. I feel like this should be a
trusted action, that we don't run on fork PRs. I feel like it would be nice to
create a clear separation of trusted / untrusted workflows. What do you think
about this:
# Untrusted Workflow "PR CI"
```
on:
pull_request:
branches: ["**"]
```
with
```
permissions:
contents: read
packages: read
pull-requests: read
```
# Trusted Workflow "Trusted CI"
```
on:
push:
branches:
- main
- branch-*
```
with
```
permissions:
contents: write
packages: write
pull-requests: write
```
Then we can only do the builder-image build and push in the trusted case.
Later we could add logic which only rebuilds the image when needed (i.e.
Dockerfile change, etc.)
The untrusted workflow would only read pre-published hadoop-build images.
For PR updating, I wonder if we want to trigger on completion of the
untrusted workflow, e.g.:
```
on:
workflow_run:
workflows: ["PR CI"]
types: [completed]
...
permissions:
pull-requests: write
```
Then
BTW: I'm in Pacific timezone if you want to try to chat. You can message me
on ASF slack https://the-asf.slack.com/archives/CDSDT7A0H or send me a calendar
invite for a call.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]