+1, allowing CI to run without an explicit button push by committers will help encourage new contributors.
The requirements seem OK. I looked through our repo and I don't see any external actions (they are all in "github" or "actions"). We do have ".github/workflows/labeler.yml" that fires on pull_request_target and does use GITHUB_TOKEN. However, that action doesn't run any code from the PR itself, so I think it is fine. (The risk to me seems to be if the action exports GITHUB_TOKEN, and runs code from the PR, then the PR can steal GITHUB_TOKEN.) Gian On 2023/05/31 08:10:18 Abhishek Agarwal wrote: > Hello, > I raised an INFRA ticket (https://issues.apache.org/jira/browse/INFRA-24657) > for the druid project so the contributors don't need a committer to trigger > PR build/test. Infra has agreed to relax the restrictions enough that a > contributor will need the approval only for their first contribution. > > However, as a project, we need to follow certain requirements that are > called out here - https://infra.apache.org/github-actions-policy.html > > They all seem fine to me. We are using `pull_request_target` for the > labeler action but that action doesn't export any confidential variables. > If others agree as well, I will just link this thread to the INFRA ticket. > > As a follow-up item, I can add a README.md in .github folder that warns > contributors and committers to keep these requirements in mind as they > change GitHub workflows in future. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org