* Random GitHub Actions added to git/git???
@ 2021-04-20 0:29 Junio C Hamano
2021-04-20 0:41 ` Taylor Blau
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Junio C Hamano @ 2021-04-20 0:29 UTC (permalink / raw)
To: Jeff King, Taylor Blau; +Cc: git
This is only of interest to those who interact with the mirror of
the public repository at GitHub, but anyway.
I was browsing https://github.com/git/git/actions and noticed that
there are many "workflows", even though what we have in our source
tree in .github/workflows/ define only two of them (which I consider
"officially sanctioned ones").
I suspect that these other ones come from "pull requests" random
people threw at us that never hit our tree, with changes to the
.github/workflows/ directory in these PR.
I find them quite distracting.
Is this something the hosting site (GitHub) considers normal and
helpful to the projects they host? Is there an easy knob to disable
those other than what we have in our tree?
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Random GitHub Actions added to git/git??? 2021-04-20 0:29 Random GitHub Actions added to git/git??? Junio C Hamano @ 2021-04-20 0:41 ` Taylor Blau 2021-04-20 16:23 ` Taylor Blau 2021-04-20 9:48 ` Bagas Sanjaya 2021-04-20 15:51 ` Johannes Schindelin 2 siblings, 1 reply; 9+ messages in thread From: Taylor Blau @ 2021-04-20 0:41 UTC (permalink / raw) To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote: > I suspect that these other ones come from "pull requests" random > people threw at us that never hit our tree, with changes to the > .github/workflows/ directory in these PR. > > I find them quite distracting. That's what I'd expect, too, but I'm not sure. I asked the people who would know, and I'll reply back here once I have an answer. > Thanks. Thanks, Taylor ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 0:41 ` Taylor Blau @ 2021-04-20 16:23 ` Taylor Blau 0 siblings, 0 replies; 9+ messages in thread From: Taylor Blau @ 2021-04-20 16:23 UTC (permalink / raw) To: Junio C Hamano; +Cc: Jeff King, git On Mon, Apr 19, 2021 at 08:41:32PM -0400, Taylor Blau wrote: > On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote: > > I suspect that these other ones come from "pull requests" random > > people threw at us that never hit our tree, with changes to the > > .github/workflows/ directory in these PR. > > > > I find them quite distracting. > > That's what I'd expect, too, but I'm not sure. I asked the people who > would know, and I'll reply back here once I have an answer. The answer is that every workflow that was run in either (a) any branch of a repository, or (b) in any pull requests against that repository will show up in that list. As Dscho noted lower in the thread, all of the ones on git/git are spam. From my conversation with the Actions folk, it sounds like we don't hide these currently, but they are planning on doing it soon. So they will disappear eventually, but not before it's implemented. Hope that helps. Thanks, Taylor ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 0:29 Random GitHub Actions added to git/git??? Junio C Hamano 2021-04-20 0:41 ` Taylor Blau @ 2021-04-20 9:48 ` Bagas Sanjaya 2021-04-20 15:55 ` Johannes Schindelin 2021-04-20 15:51 ` Johannes Schindelin 2 siblings, 1 reply; 9+ messages in thread From: Bagas Sanjaya @ 2021-04-20 9:48 UTC (permalink / raw) To: Junio C Hamano, Jeff King, Taylor Blau; +Cc: git On 20/04/21 07.29, Junio C Hamano wrote: > I was browsing https://github.com/git/git/actions and noticed that > there are many "workflows", even though what we have in our source > tree in .github/workflows/ define only two of them (which I consider > "officially sanctioned ones"). > > I suspect that these other ones come from "pull requests" random > people threw at us that never hit our tree, with changes to the > .github/workflows/ directory in these PR. They are Actions jobs triggered by GitGitGadget PRs. For example, job [1] corresponds to patchset [2]. [1]: https://github.com/git/git/actions/runs/763138085 [2]: https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/ -- An old man doll... just what I always wanted! - Clara ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 9:48 ` Bagas Sanjaya @ 2021-04-20 15:55 ` Johannes Schindelin 0 siblings, 0 replies; 9+ messages in thread From: Johannes Schindelin @ 2021-04-20 15:55 UTC (permalink / raw) To: Bagas Sanjaya; +Cc: Junio C Hamano, Jeff King, Taylor Blau, git Hi Bagas, On Tue, 20 Apr 2021, Bagas Sanjaya wrote: > On 20/04/21 07.29, Junio C Hamano wrote: > > I was browsing https://github.com/git/git/actions and noticed that > > there are many "workflows", even though what we have in our source > > tree in .github/workflows/ define only two of them (which I consider > > "officially sanctioned ones"). > > > > I suspect that these other ones come from "pull requests" random > > people threw at us that never hit our tree, with changes to the > > .github/workflows/ directory in these PR. > > They are Actions jobs triggered by GitGitGadget PRs. No, they are not. From GitGitGadget's own home page at https://gitgitgadget.github.io/: But... what is GitGitGadget? GitGitGadget itself is a GitHub App that is backed by an Azure Function written in pure Javascript which in turn triggers an Azure Pipeline written in Typescript (which is really easy to understand and write for everybody who knows even just a little Javascript), maintained at https://github.com/gitgitgadget/gitgitgadget. In other words, GitGitGadget uses Azure Pipelines, not GitHub Actions. > For example, job [1] corresponds to patchset [2]. > > [1]: https://github.com/git/git/actions/runs/763138085 This has nothing to do with GitGitGadget, it is the regular `check-whitespace.yml` check from our very own `.github/workflows/check-whitespace.yml`. Ciao, Johannes > [2]: > https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/ ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 0:29 Random GitHub Actions added to git/git??? Junio C Hamano 2021-04-20 0:41 ` Taylor Blau 2021-04-20 9:48 ` Bagas Sanjaya @ 2021-04-20 15:51 ` Johannes Schindelin 2021-04-20 20:23 ` Junio C Hamano 2 siblings, 1 reply; 9+ messages in thread From: Johannes Schindelin @ 2021-04-20 15:51 UTC (permalink / raw) To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git Hi Junio, On Mon, 19 Apr 2021, Junio C Hamano wrote: > I was browsing https://github.com/git/git/actions and noticed that > there are many "workflows", even though what we have in our source > tree in .github/workflows/ define only two of them (which I consider > "officially sanctioned ones"). If you are referring to the "Codacy Security Scan" things and alike, I saw them, too, and I think it was a single contributor who opened PRs adding those workflows. If you click on one of them (such as above-mentioned "Codacy Security Scan"), you will see that "This workflow run has been marked as disruptive" (see for yourself at https://github.com/git/git/actions/workflows/codacy-analysis.yml). It is a bit sad that those are still shown at all, but I think it's just a matter of time until they vanish. Ciao, Dscho ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 15:51 ` Johannes Schindelin @ 2021-04-20 20:23 ` Junio C Hamano 2021-04-21 12:38 ` Johannes Schindelin 0 siblings, 1 reply; 9+ messages in thread From: Junio C Hamano @ 2021-04-20 20:23 UTC (permalink / raw) To: Johannes Schindelin; +Cc: Jeff King, Taylor Blau, git Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > If you click on one of them (such as above-mentioned "Codacy Security > Scan"), you will see that "This workflow run has been marked as > disruptive" (see for yourself at > https://github.com/git/git/actions/workflows/codacy-analysis.yml). Yes, I was the one who "manually disabled" some of them. I did not find how to mark them "as disruptive", though. How well are our refs protected from these random "Actions"? Can somebody spam us with a pull request with a new "workflow" that advances one of our integration branches ;-)? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-20 20:23 ` Junio C Hamano @ 2021-04-21 12:38 ` Johannes Schindelin 2021-04-21 23:05 ` Junio C Hamano 0 siblings, 1 reply; 9+ messages in thread From: Johannes Schindelin @ 2021-04-21 12:38 UTC (permalink / raw) To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git Hi Junio, On Tue, 20 Apr 2021, Junio C Hamano wrote: > Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > > > If you click on one of them (such as above-mentioned "Codacy Security > > Scan"), you will see that "This workflow run has been marked as > > disruptive" (see for yourself at > > https://github.com/git/git/actions/workflows/codacy-analysis.yml). > > Yes, I was the one who "manually disabled" some of them. I did not > find how to mark them "as disruptive", though. > > How well are our refs protected from these random "Actions"? Can > somebody spam us with a pull request with a new "workflow" that > advances one of our integration branches ;-)? The GITHUB_TOKEN that is used by the GitHub workflows is generated in two ways, depending whether a PR originated from the same repository or from a fork. If it came from a fork, the token has only read permissions. So I'd say we're still safe. Ciao, Dscho ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Random GitHub Actions added to git/git??? 2021-04-21 12:38 ` Johannes Schindelin @ 2021-04-21 23:05 ` Junio C Hamano 0 siblings, 0 replies; 9+ messages in thread From: Junio C Hamano @ 2021-04-21 23:05 UTC (permalink / raw) To: Johannes Schindelin; +Cc: Jeff King, Taylor Blau, git Johannes Schindelin <Johannes.Schindelin@gmx.de> writes: > On Tue, 20 Apr 2021, Junio C Hamano wrote: > >> How well are our refs protected from these random "Actions"? Can >> somebody spam us with a pull request with a new "workflow" that >> advances one of our integration branches ;-)? > > The GITHUB_TOKEN that is used by the GitHub workflows is generated in two > ways, depending whether a PR originated from the same repository or from a > fork. If it came from a fork, the token has only read permissions. > > So I'd say we're still safe. Yeah, their blog post came to my inbox, which was quite timely, this morning ;-). https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-04-21 23:05 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-20 0:29 Random GitHub Actions added to git/git??? Junio C Hamano 2021-04-20 0:41 ` Taylor Blau 2021-04-20 16:23 ` Taylor Blau 2021-04-20 9:48 ` Bagas Sanjaya 2021-04-20 15:55 ` Johannes Schindelin 2021-04-20 15:51 ` Johannes Schindelin 2021-04-20 20:23 ` Junio C Hamano 2021-04-21 12:38 ` Johannes Schindelin 2021-04-21 23:05 ` Junio C Hamano
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).