Skip to content

Dealing with workflow execution restriction following enforcement of more stringent security rules #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fcollonval opened this issue Jul 29, 2024 · 3 comments
Open

Dealing with workflow execution restriction following enforcement of more stringent security rules #256

fcollonval opened this issue Jul 29, 2024 · 3 comments

Comments

@fcollonval
Copy link
Member

Description

Follow-up of #251 (comment)

I looked at how best handle the current situation that prevents the update job to be executed on non-member PRs. It looks like the easiest would be to create a team with Read access (aka nothing more than what you can do on public repo) in which we invite trusted contributor as outside collaborator.
For example I invited a GSoC contributor for test purpose (should be dropped at the end of this meeting if the approach is deemed wrong):
image
Then on jupyterlab/jupyterlab#16438 (comment), the first update snapshot comment failed (she was not yet a collaborator). The second passed (she accepted the invitation).
@fcollonval fcollonval added bug Something isn't working and removed bug Something isn't working labels Jul 29, 2024
@jtpio
Copy link
Member

jtpio commented Jul 31, 2024

Some questions:

  • what are the criteria for someone to be added to that list as outside collaborator? Should this apply to one-of contributors, or should there be a minimum number of PRs merged before someone can be added to that list?
  • should there then be a team of "regular contributors", for those who often contribute but are not part of the council?
  • when should someone be removed from that list?

Overall the "Read" permission is probably fine and low risk. It's more about guidelines for JupyterLab maintainers for how to manage that list.

@fcollonval
Copy link
Member Author

  • what are the criteria for someone to be added to that list as outside collaborator? Should this apply to one-of contributors, or should there be a minimum number of PRs merged before someone can be added to that list?

What about as soon as they open a second PR? So we don't add one shot contributors.

  • should there then be a team of "regular contributors", for those who often contribute but are not part of the council?

Definitely better to use a team as it is easier to manage and to audit for security.

  • when should someone be removed from that list?

That one is always tricky. We could set up a job like we do for the council with a rule like every six months, list regular contributors who haven't contribute in the last six months. Then we could remove those.

@krassowski
Copy link
Member

Ah, I just saw that it is not only that non-members cannot invoke the update, but it cannot be invoked even by members on non-member PRs. I think this needs to be changed.

For example see: jupyterlab/jupyterlab#16341 with https://github.com/jupyterlab/jupyterlab/actions/runs/10330748123/job/28600154607

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtpio @krassowski @fcollonval