Re: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

2023-03-14 Thread Chris Lambertus 
Yes, the plan is still to alter the default behavior. As stated in the original 
email:

"Projects that have a strong desire to use the “only need approval first time” 
option should communicate that, explaining their reasons, in a Jira ticket for 
Infra. Please be as specific as you can in which repositories you wish to have 
this option set for, should you choose to."

We already have a number of tickets which have been submitted for exceptions 
which will be granted/implemented when we change the default to be more secure.

Infra is working on a policy and procedure for projects to self-police the 
security risks that come along with the exemption. For the safety of our 
codebase, there must be oversight and accountability for actions initiated by 
people who are unaffiliated with the Foundation, so there needs to be a process 
for a project to request an exemption, rather than a simple opt-out repository 
.asf.yaml setting.

This change is not being enforced on everyone abruptly. We have been discussing 
it here for a month, invited input and counterpoint, and provided a process to 
request an exemption. We agree with those projects who have identified this 
change as a hindrance and thank them for providing compelling reasoning for 
those exemptions, which as previously noted, will be granted when the change 
goes live.

-Chris






-- 
@fluxo
Chris Lambertus
ASF Infrastructure

> On Mar 14, 2023, at 8:20 PM, Sumit Kumar via users  
> wrote:
> 
> Folks,
> 
> Is the 03/19/2023 deadline still in force? What's the final verdict from 
> infra? Can projects control this behavior by creating some configuration file 
> in their repository so this mass impact can be controlled by respective PMCs 
> rather then being enforced on everyone abruptly?
> 
> 
> 
>  On Mon, 13 Feb 2023 13:27:16 -0800 Kenneth Knowles  
> wrote ---
> 
> I've raised https://issues.apache.org/jira/browse/INFRA-24201 for Beam and 
> see also Airflow's ticket https://issues.apache.org/jira/browse/INFRA-24200.
> 
> On Mon, Feb 13, 2023 at 11:49 AM Daniel Gruno  > wrote:
> 
> To Project PMCs:
> 
> GitHub for Apache projects is currently set to allow a non-committer 
> contributor to use GitHub Actions if a previous pull request by that 
> person has been approved.
> 
> This has raised some security concerns, and could cause issues with 
> overall use and availability of GitHub Actions.
> 
> The Infrastructure Team proposes to change the default to “always 
> require approval for external contributors”. We intend to make this 
> change on Sunday the 19th of March, 2023.
> 
> This change will apply to all GitHub repositories that do not already 
> have a specific GitHub Actions policy set.
> 
> Projects that have a strong desire to use the “only need approval first 
> time” option should communicate that, explaining their reasons, in a 
> Jira ticket for Infra. Please be as specific as you can in which 
> repositories you wish to have this option set for, should you choose to.
> 
> With regards,
> Daniel, on behalf of the ASF Infrastructure Team.
> 
>

Re: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

2023-03-14 Thread Sumit Kumar via dev 
Folks,



Is the 03/19/2023 deadline still in force? What's the final verdict from infra? 
Can projects control this behavior by creating some configuration file in their 
repository so this mass impact can be controlled by respective PMCs rather then 
being enforced on everyone abruptly?







 On Mon, 13 Feb 2023 13:27:16 -0800 Kenneth Knowles  wrote 
---



I've raised https://issues.apache.org/jira/browse/INFRA-24201 for Beam and see 
also Airflow's ticket https://issues.apache.org/jira/browse/INFRA-24200.


On Mon, Feb 13, 2023 at 11:49 AM Daniel Gruno  
wrote:





To Project PMCs:
 
 GitHub for Apache projects is currently set to allow a non-committer 
 contributor to use GitHub Actions if a previous pull request by that 
 person has been approved.
 
 This has raised some security concerns, and could cause issues with 
 overall use and availability of GitHub Actions.
 
 The Infrastructure Team proposes to change the default to “always 
 require approval for external contributors”. We intend to make this 
 change on Sunday the 19th of March, 2023.
 
 This change will apply to all GitHub repositories that do not already 
 have a specific GitHub Actions policy set.
 
 Projects that have a strong desire to use the “only need approval first 
 time” option should communicate that, explaining their reasons, in a 
 Jira ticket for Infra. Please be as specific as you can in which 
 repositories you wish to have this option set for, should you choose to.
 
 With regards,
 Daniel, on behalf of the ASF Infrastructure Team.

Re: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

2023-02-13 Thread Kenneth Knowles 
I've raised https://issues.apache.org/jira/browse/INFRA-24201 for Beam and
see also Airflow's ticket https://issues.apache.org/jira/browse/INFRA-24200.

On Mon, Feb 13, 2023 at 11:49 AM Daniel Gruno  wrote:

> To Project PMCs:
>
> GitHub for Apache projects is currently set to allow a non-committer
> contributor to use GitHub Actions if a previous pull request by that
> person has been approved.
>
> This has raised some security concerns, and could cause issues with
> overall use and availability of GitHub Actions.
>
> The Infrastructure Team proposes to change the default to “always
> require approval for external contributors”. We intend to make this
> change on Sunday the 19th of March, 2023.
>
> This change will apply to all GitHub repositories that do not already
> have a specific GitHub Actions policy set.
>
> Projects that have a strong desire to use the “only need approval first
> time” option should communicate that, explaining their reasons, in a
> Jira ticket for Infra. Please be as specific as you can in which
> repositories you wish to have this option set for, should you choose to.
>
> With regards,
> Daniel, on behalf of the ASF Infrastructure Team.
>

Fwd: [NOTICE] Upcoming global changes to default GitHub Actions behavior for outside collaborators

2023-02-13 Thread Austin Bennett 
FYI -

I am not sure this is overly concerning, but wanted to ensure people had
seen

-- Forwarded message -
From: Daniel Gruno 
Date: Mon, Feb 13, 2023, 11:49 AM
Subject: [NOTICE] Upcoming global changes to default GitHub Actions
behavior for outside collaborators
To: 


To Project PMCs:

GitHub for Apache projects is currently set to allow a non-committer
contributor to use GitHub Actions if a previous pull request by that
person has been approved.

This has raised some security concerns, and could cause issues with
overall use and availability of GitHub Actions.

The Infrastructure Team proposes to change the default to “always
require approval for external contributors”. We intend to make this
change on Sunday the 19th of March, 2023.

This change will apply to all GitHub repositories that do not already
have a specific GitHub Actions policy set.

Projects that have a strong desire to use the “only need approval first
time” option should communicate that, explaining their reasons, in a
Jira ticket for Infra. Please be as specific as you can in which
repositories you wish to have this option set for, should you choose to.

With regards,
Daniel, on behalf of the ASF Infrastructure Team.