I'm happy to have us try out using the VirtusLab ScalaSteward bot. We can just raise PRs to add repo names to: https://github.com/VirtusLab/scala-steward-repos/blob/main/repos-github.md
On Mon, 12 Jan 2026 at 09:38, Arnout Engelen <[email protected]> wrote: > > Hi, > > The Pekko projects currently use a setup with a custom GitHub bot and the > Scala Steward GitHub Action. I'm leaning towards retiring this custom setup > in favour of adding our repo's to > https://github.com/VirtusLab/scala-steward-repos/blob/main/repos-github.md > > I found https://issues.apache.org/jira/browse/INFRA-24961 that says "It can > be argued that (..) is this approach more secure" but I'm not sure I > understand in what way it would be more secure. An advantage of using our > own bot could be that it'd be easier for us to run tweaked versions of the > logic, but I don't see a strong use case for that. > > Security-wise, a 3rd party with no write permissions creating public pull > request seems hard to beat. The scala-steward action now contains > 'compiled' javascript ( > https://github.com/apache/infrastructure-actions/pull/444) which seems more > tricky. I've brought this up before on Slack and on GitHub comments, but > wanted to have it here as well before making the change. > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
