Yeah, but it will be okay the next time they contribute. 何品
Arnout Engelen <[email protected]> 于2026年1月20日周二 21:05写道: > Hello Pekko community, > > Currently, when an outside contributor provides a PR, a committer needs to > verify the PR and click "Approve workflow run" after each change and for > each new PR. I believe this makes the contributing experience worse, as it > leads to longer turn-around times. I would like to propose we configure > GitHub so "Approve workflow run" is only needed for a contributors' first > PR. > > The reason "Approve workflow run" is required by default is to protect > against malicious PRs. There are two types of malicious PRs: ones that > merely steal processing power (by for example mining cryptocurrencies > during the build), and ones that steal sensitive resources the GitHub > Actions may have access to. I don't think we need to worry about the first > type: GitHub is pretty good at detecting those, as they typically would not > go through the trouble of first providing a legitimate PR. The second type > we should be more wary of: it is definitely plausible that such an attacker > would first provide a legitimate PR before launching their 'real' attack. > Securing GitHub Actions can be notoriously difficult, for example per > https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security > . > > In the case of Pekko, however, while we do have some secrets exposed to > GitHub Actions (for staging release candidates), we do not use the > dangerous triggers (pull_request_target, issue_comment), and have a mature > RC validation process in place. > > In our case I believe it is a reasonable trade-off to allow PR validation > to run without manual approval to improve the contributing experience, > despite the risk of insecure GitHub Actions workflows, which we have > reasonably mitigated. > > A special case is that this would also make sure we don't need to manually > confirm validations for PRs created by the public scala-steward instance, > removing the need for our own scala-steward-asf bot. This should make > things simpler and more secure, as the public scala-steward instance > clearly doesn't have access to any of our secrets, which is harder to > guarantee for the scala-steward-asf workflows (see also > https://lists.apache.org/thread/8v1cpvd8y3bo04hy0hn84j5gshcmrfcg). > > If there is general (lazy) consensus on this proposal we can ask Infra to > make this change in https://issues.apache.org/jira/browse/INFRA-27565 > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
