On Sun, Jun 21, 2020 at 10:34 AM Waqas Hussain <waqa...@gmail.com> wrote:
> On Tue, Jun 16, 2020 at 1:13 PM Jonas Schäfer <jo...@wielicki.name> wrote: > >> > Alternatively, if we do still want to use Docker, why not just use >> > whatever GitHub's CI is or one of the many CI solutions that can work >> > with GitHub without setting up lots of new infrastructure, repos, >> > syncing, etc? (ie. Travis, Circle CI, Drone, etc. there are tons of them >> > and many of them are free but also designed to work with GitHub) >> >> Due to the messed up permission model of GitHub, all of them (I can’t >> test >> travis because I signed up with them a long time ago, Circle CI does, >> GitLab >> CI for GitHub does, Docker Hub does for newly added repositories; Drone >> seems >> to require infrastructure we don’t have or want to maintain on the iteam >> side) >> seem to require full write access to all repositories whichever account >> is >> used to set them up has access to or will ever have access to, public and >> private. >> >> > I'd second what Sam suggested elsewhere in the thread. If the main issue > is Github's permission model (due to us using personal human accounts for > doing CI auth), we should use Github's recommended alternatives: machine > users is what they've recommended prior to Github Actions. > > See > https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users > > With my security hat on, using human accounts for CI is an anti-pattern. > You /want/ a machine CI user, even if human accounts would work perfectly. > This helps fully compartmentalize CI, limits blast radius when incidents > happen, is easier when humans eventually leave the org. > > If Github Actions work for our use-cases, that might be ideal though. It's > more managed, which I'd expect to translate to less burden on iteam, and > allow easier contribution by folks not on iteam. > > I'm on the side of keeping issues and PRs on Github, that's where the > users are. Asking every contributor to create a Gitlab account seems > unfortunate, when practically every contributor already has a Github > account. > > I do appreciate the idea of supporting account-less contributions (that > Zash called out), and the historical channel for that has been the mailing > list. So that seems covered in any case. > > Thanks, > Waqas > > Oh, and I wanted to add: thanks for working on this Jonas, and everyone else on iteam. Regardless of where we land, I'm sure we all appreciate the effort being put in.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________