FYI - I am not sure this is overly concerning, but wanted to ensure people had seen
---------- Forwarded message --------- From: Daniel Gruno <humbed...@apache.org> Date: Mon, Feb 13, 2023, 11:49 AM Subject: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators To: <annou...@infra.apache.org> To Project PMCs: GitHub for Apache projects is currently set to allow a non-committer contributor to use GitHub Actions if a previous pull request by that person has been approved. This has raised some security concerns, and could cause issues with overall use and availability of GitHub Actions. The Infrastructure Team proposes to change the default to “always require approval for external contributors”. We intend to make this change on Sunday the 19th of March, 2023. This change will apply to all GitHub repositories that do not already have a specific GitHub Actions policy set. Projects that have a strong desire to use the “only need approval first time” option should communicate that, explaining their reasons, in a Jira ticket for Infra. Please be as specific as you can in which repositories you wish to have this option set for, should you choose to. With regards, Daniel, on behalf of the ASF Infrastructure Team.
