I just learned that while we enable GitHub Actions on the @mozilla org on GitHub, the set of actions that are allowed are quite narrow[1]. This is good, but I have a request to allow actions from @actions-rs. Specifically the actions-rs/toolchain action, which manages the installation of rust toolchains. I've also found actions-rs/cargo to be useful, but it is not critical. It's possible to re-implement all of this manually, but it's fiddly to get right and a maintenance burden thereafter. Is it possible to add actions-rs/* or actions-rs/toolchain to the allowlist for the org? We would use these for the mozilla/neqo project if they were available. I've looked at the code and it is unremarkable. It could be better[2], but it appears to be well written and is actively maintained and widely used. Thanks, Martin [1] "Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub or match the following: !/mozilla/**, !mozilla/**, ./**, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@v1.4.2." [2] They rely on https exclusively to ensure that packages are authentic. They could use sha256sum and specific versions, but that might make it harder for rustup patches to get deployed. This is a tradeoff that I might taken a different decision on, but their is a defensible choice.
Bug 1730873 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I just learned that while we enable GitHub Actions on the @mozilla org on GitHub, the set of actions that are allowed are quite narrow[1]. This is good, but I have a request to allow actions from @actions-rs. Specifically the actions-rs/toolchain action, which manages the installation of rust toolchains. I've also found actions-rs/cargo to be useful, but it is not critical. It's possible to re-implement all of this manually, but it's fiddly to get right and a maintenance burden thereafter. Is it possible to add actions-rs/* or actions-rs/toolchain to the allowlist for the org? We would use these for the mozilla/neqo project if they were available. I've looked at the code and it is unremarkable. It could be better[2], but it appears to be well written and is actively maintained and widely used. Thanks, Martin [1] "Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub or match the following: `!/mozilla/**, !mozilla/**, ./**, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@v1.4.2`." [2] They rely on https exclusively to ensure that packages are authentic. They could use sha256sum and specific versions, but that might make it harder for rustup patches to get deployed. This is a tradeoff that I might taken a different decision on, but their is a defensible choice.