Hi Texera dev,
I'd like to propose a change to our GitHub Actions configuration on apache/texera to reduce friction for non-committer contributors. *Background:* Currently, the ASF GitHub Actions policy requires committer approval for all outside collaborators, meaning every push from a non-committer's fork needs approval before CI runs. This leads to slow feedback and unnecessary work for committers. *Proposal:* Ask ASF Infra to change to: "Require approval for first-time contributors." This means that after a contributor's initial PR approval, their subsequent pushes and future PRs would trigger CI automatically. Committers still have visibility, and Infra can revert if needed. As a project, we need to follow certain requirements that are called out here - https://infra.apache.org/github-actions-policy.html I have confirmed that: - GitHub does not pass repository secrets to runners on fork PRs (regardless of whether the workflow file references `secrets.*`). GITHUB_TOKEN is provided but with read-only permissions on fork PRs. - Workflows that intentionally need write privileges in PR context (auto-assign, lint-pr, pr-labeler) use `pull_request_target`, which runs in the base-branch context and is unaffected by the approval-policy setting. - Workflows that touch sensitive secrets (build-and-push-images, create-release-candidate, direct-backport-push) are gated on `workflow_dispatch` / `push` and are not reachable from fork PRs at all. *Precedent:* Several ASF projects have made this switch via Infra Jira, including Apache ShardingSphere and Apache Druid. - Apache ShardingSphere — https://issues.apache.org/jira/browse/INFRA-24389 - Apache Druid — https://issues.apache.org/jira/browse/INFRA-24657 Please share your thoughts. If no-one objects within three days, I’ll assume lazy consensus and open a ticket to INFRA. Best regards, Yicong Huang
