Git Mailing List Archive on lore.kernel.org
 help / color / Atom feed
* Random GitHub Actions added to git/git???
@ 2021-04-20  0:29 Junio C Hamano
  2021-04-20  0:41 ` Taylor Blau
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Junio C Hamano @ 2021-04-20  0:29 UTC (permalink / raw)
  To: Jeff King, Taylor Blau; +Cc: git

This is only of interest to those who interact with the mirror of
the public repository at GitHub, but anyway.

I was browsing https://github.com/git/git/actions and noticed that
there are many "workflows", even though what we have in our source
tree in .github/workflows/ define only two of them (which I consider
"officially sanctioned ones").

I suspect that these other ones come from "pull requests" random
people threw at us that never hit our tree, with changes to the
.github/workflows/ directory in these PR.

I find them quite distracting.

Is this something the hosting site (GitHub) considers normal and
helpful to the projects they host?  Is there an easy knob to disable
those other than what we have in our tree?

Thanks.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20  0:29 Random GitHub Actions added to git/git??? Junio C Hamano
@ 2021-04-20  0:41 ` Taylor Blau
  2021-04-20 16:23   ` Taylor Blau
  2021-04-20  9:48 ` Bagas Sanjaya
  2021-04-20 15:51 ` Johannes Schindelin
  2 siblings, 1 reply; 9+ messages in thread
From: Taylor Blau @ 2021-04-20  0:41 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git

On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote:
> I suspect that these other ones come from "pull requests" random
> people threw at us that never hit our tree, with changes to the
> .github/workflows/ directory in these PR.
>
> I find them quite distracting.

That's what I'd expect, too, but I'm not sure. I asked the people who
would know, and I'll reply back here once I have an answer.

> Thanks.

Thanks,
Taylor

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20  0:29 Random GitHub Actions added to git/git??? Junio C Hamano
  2021-04-20  0:41 ` Taylor Blau
@ 2021-04-20  9:48 ` Bagas Sanjaya
  2021-04-20 15:55   ` Johannes Schindelin
  2021-04-20 15:51 ` Johannes Schindelin
  2 siblings, 1 reply; 9+ messages in thread
From: Bagas Sanjaya @ 2021-04-20  9:48 UTC (permalink / raw)
  To: Junio C Hamano, Jeff King, Taylor Blau; +Cc: git

On 20/04/21 07.29, Junio C Hamano wrote:
> I was browsing https://github.com/git/git/actions and noticed that
> there are many "workflows", even though what we have in our source
> tree in .github/workflows/ define only two of them (which I consider
> "officially sanctioned ones").
> 
> I suspect that these other ones come from "pull requests" random
> people threw at us that never hit our tree, with changes to the
> .github/workflows/ directory in these PR.

They are Actions jobs triggered by GitGitGadget PRs. For example,
job [1] corresponds to patchset [2].

[1]: https://github.com/git/git/actions/runs/763138085
[2]: https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/

-- 
An old man doll... just what I always wanted! - Clara

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20  0:29 Random GitHub Actions added to git/git??? Junio C Hamano
  2021-04-20  0:41 ` Taylor Blau
  2021-04-20  9:48 ` Bagas Sanjaya
@ 2021-04-20 15:51 ` Johannes Schindelin
  2021-04-20 20:23   ` Junio C Hamano
  2 siblings, 1 reply; 9+ messages in thread
From: Johannes Schindelin @ 2021-04-20 15:51 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git

Hi Junio,

On Mon, 19 Apr 2021, Junio C Hamano wrote:

> I was browsing https://github.com/git/git/actions and noticed that
> there are many "workflows", even though what we have in our source
> tree in .github/workflows/ define only two of them (which I consider
> "officially sanctioned ones").

If you are referring to the "Codacy Security Scan" things and alike, I
saw them, too, and I think it was a single contributor who opened PRs
adding those workflows.

If you click on one of them (such as above-mentioned "Codacy Security
Scan"), you will see that "This workflow run has been marked as
disruptive" (see for yourself at
https://github.com/git/git/actions/workflows/codacy-analysis.yml).

It is a bit sad that those are still shown at all, but I think it's just a
matter of time until they vanish.

Ciao,
Dscho

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20  9:48 ` Bagas Sanjaya
@ 2021-04-20 15:55   ` Johannes Schindelin
  0 siblings, 0 replies; 9+ messages in thread
From: Johannes Schindelin @ 2021-04-20 15:55 UTC (permalink / raw)
  To: Bagas Sanjaya; +Cc: Junio C Hamano, Jeff King, Taylor Blau, git

Hi Bagas,

On Tue, 20 Apr 2021, Bagas Sanjaya wrote:

> On 20/04/21 07.29, Junio C Hamano wrote:
> > I was browsing https://github.com/git/git/actions and noticed that
> > there are many "workflows", even though what we have in our source
> > tree in .github/workflows/ define only two of them (which I consider
> > "officially sanctioned ones").
> >
> > I suspect that these other ones come from "pull requests" random
> > people threw at us that never hit our tree, with changes to the
> > .github/workflows/ directory in these PR.
>
> They are Actions jobs triggered by GitGitGadget PRs.

No, they are not. From GitGitGadget's own home page at
https://gitgitgadget.github.io/:


	But... what is GitGitGadget?

	GitGitGadget itself is a GitHub App that is backed by an Azure
	Function written in pure Javascript which in turn triggers an
	Azure Pipeline written in Typescript (which is really easy to
	understand and write for everybody who knows even just a little
	Javascript), maintained at
	https://github.com/gitgitgadget/gitgitgadget.

In other words, GitGitGadget uses Azure Pipelines, not GitHub Actions.

> For example, job [1] corresponds to patchset [2].
>
> [1]: https://github.com/git/git/actions/runs/763138085

This has nothing to do with GitGitGadget, it is the regular
`check-whitespace.yml` check from our very own
`.github/workflows/check-whitespace.yml`.

Ciao,
Johannes

> [2]:
> https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20  0:41 ` Taylor Blau
@ 2021-04-20 16:23   ` Taylor Blau
  0 siblings, 0 replies; 9+ messages in thread
From: Taylor Blau @ 2021-04-20 16:23 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Jeff King, git

On Mon, Apr 19, 2021 at 08:41:32PM -0400, Taylor Blau wrote:
> On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote:
> > I suspect that these other ones come from "pull requests" random
> > people threw at us that never hit our tree, with changes to the
> > .github/workflows/ directory in these PR.
> >
> > I find them quite distracting.
>
> That's what I'd expect, too, but I'm not sure. I asked the people who
> would know, and I'll reply back here once I have an answer.

The answer is that every workflow that was run in either (a) any branch
of a repository, or (b) in any pull requests against that repository
will show up in that list.

As Dscho noted lower in the thread, all of the ones on git/git are spam.
From my conversation with the Actions folk, it sounds like we don't hide
these currently, but they are planning on doing it soon. So they will
disappear eventually, but not before it's implemented.

Hope that helps.

Thanks,
Taylor

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20 15:51 ` Johannes Schindelin
@ 2021-04-20 20:23   ` Junio C Hamano
  2021-04-21 12:38     ` Johannes Schindelin
  0 siblings, 1 reply; 9+ messages in thread
From: Junio C Hamano @ 2021-04-20 20:23 UTC (permalink / raw)
  To: Johannes Schindelin; +Cc: Jeff King, Taylor Blau, git

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> If you click on one of them (such as above-mentioned "Codacy Security
> Scan"), you will see that "This workflow run has been marked as
> disruptive" (see for yourself at
> https://github.com/git/git/actions/workflows/codacy-analysis.yml).

Yes, I was the one who "manually disabled" some of them.  I did not
find how to mark them "as disruptive", though.

How well are our refs protected from these random "Actions"?  Can
somebody spam us with a pull request with a new "workflow" that
advances one of our integration branches ;-)?



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-20 20:23   ` Junio C Hamano
@ 2021-04-21 12:38     ` Johannes Schindelin
  2021-04-21 23:05       ` Junio C Hamano
  0 siblings, 1 reply; 9+ messages in thread
From: Johannes Schindelin @ 2021-04-21 12:38 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Jeff King, Taylor Blau, git

Hi Junio,

On Tue, 20 Apr 2021, Junio C Hamano wrote:

> Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>
> > If you click on one of them (such as above-mentioned "Codacy Security
> > Scan"), you will see that "This workflow run has been marked as
> > disruptive" (see for yourself at
> > https://github.com/git/git/actions/workflows/codacy-analysis.yml).
>
> Yes, I was the one who "manually disabled" some of them.  I did not
> find how to mark them "as disruptive", though.
>
> How well are our refs protected from these random "Actions"?  Can
> somebody spam us with a pull request with a new "workflow" that
> advances one of our integration branches ;-)?

The GITHUB_TOKEN that is used by the GitHub workflows is generated in two
ways, depending whether a PR originated from the same repository or from a
fork. If it came from a fork, the token has only read permissions.

So I'd say we're still safe.

Ciao,
Dscho

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Random GitHub Actions added to git/git???
  2021-04-21 12:38     ` Johannes Schindelin
@ 2021-04-21 23:05       ` Junio C Hamano
  0 siblings, 0 replies; 9+ messages in thread
From: Junio C Hamano @ 2021-04-21 23:05 UTC (permalink / raw)
  To: Johannes Schindelin; +Cc: Jeff King, Taylor Blau, git

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> On Tue, 20 Apr 2021, Junio C Hamano wrote:
>
>> How well are our refs protected from these random "Actions"?  Can
>> somebody spam us with a pull request with a new "workflow" that
>> advances one of our integration branches ;-)?
>
> The GITHUB_TOKEN that is used by the GitHub workflows is generated in two
> ways, depending whether a PR originated from the same repository or from a
> fork. If it came from a fork, the token has only read permissions.
>
> So I'd say we're still safe.

Yeah, their blog post came to my inbox, which was quite timely, this
morning ;-).

https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20  0:29 Random GitHub Actions added to git/git??? Junio C Hamano
2021-04-20  0:41 ` Taylor Blau
2021-04-20 16:23   ` Taylor Blau
2021-04-20  9:48 ` Bagas Sanjaya
2021-04-20 15:55   ` Johannes Schindelin
2021-04-20 15:51 ` Johannes Schindelin
2021-04-20 20:23   ` Junio C Hamano
2021-04-21 12:38     ` Johannes Schindelin
2021-04-21 23:05       ` Junio C Hamano

Git Mailing List Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/git/0 git/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 git git/ https://lore.kernel.org/git \
		git@vger.kernel.org
	public-inbox-index git

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.git


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git