juzhiyuan commented on issue #6528: URL: https://github.com/apache/apisix/issues/6528#issuecomment-1062579469
LGTM, and please note: ``` We only allow Actions that are official "Made by GitHub" or local to the Apache org on GitHub, to address a potential security vulnerability. This is an incident-related policy change. We are researching the situation, and the policy may evolve based on what we learn. ``` ``` NEVER use 3rd-party actions directly in your worfklows - use the "submodule" pattern. Example PR [Tobiasz Kędzierski](https://cwiki.apache.org/confluence/display/~tobked) [opened in SuperSet](https://github.com/apache/superset/pull/12709) showing how this could be done. Also ASF INFRA allow-listed some of the popular Actions out there, including my "cancel workflow" action, but I there is no public list of those available. The nice things about submodules is that they do not bring action code to your repo. They link to commit hashes of the Actions, and that integrates well with the GitHub review process so that committers have better chance to review the changes before they are merged. By using submodules, you are automatically following the GitHub recommendations for [hardening of security for 3rd-party actions](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions). ``` also, check those 3 articles: 1. https://github.blog/changelog/2021-04-22-github-actions-maintainers-must-approve-first-time-contributor-workflow-runs/ 2. https://infra.apache.org/github-actions-secrets.html 3. https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+status#GitHubActionsstatus-Thereasonfortheissue -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
