Draft
Conversation
…ation A subsequent commit will use this configuration option to set restrictions on what GitHub Actions can be used in each repository
"github_actions_sets" will, in a subsequent commit, act like the "access_levels" property. It will contain some reusbale, shared lists of GitHub Actions to restrict repositories to using, so that we're not repeating the list all the time.
…itories A subsequent commit will configure each of Platform Engineering's repositories to use this list
A subsequent commit will make use of these config values in the Terraform code. For now, we're only setting it up for Platform Engineering repositories.
AP-Hunt
force-pushed
the
github_restrict_runnable_actions
branch
3 times, most recently
from
daa51b8 to
22cd3d1
Compare
Sets up rules to restrict which actions can run in a GitHub Actions workflow[1]. This is only applied to repositories which opt in. [1] https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run
AP-Hunt
force-pushed
the
github_restrict_runnable_actions
branch
from
22cd3d1 to
f8a066a
Compare
9 tasks
Contributor
|
Parking this PR pending Andys return and further discussion on it |
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
We'd like to restrict the set of actions that can be run by GitHub Actions to a number of trusted namespaces, and a smaller number of trusted specific actions pinned at specific known-good hashes.
We can't do that all at once without breaking things.
This PR introduces some new configuration options in
repos.ymlwhich allow us to opt a repository in to restricted actions, and define the trusted actions.How to review
Review each commit in order. They tell a story and build up the picture. To review the changes
repos.yml, compare the changes with the list of repositories in #1937