Closed Bug 1712116 Opened 3 years ago Closed 3 years ago

Assess use of external action ruby/setup-ruby in Mozilla's GitHub organization Mozilla

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: claudijd, Assigned: hwine)

Details

I want to use the ruby/setup-ruby action in Mozilla for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
https://github.com/mozilla/ssh_scan

** Are any of those repositories private?
No, public

** Provide link to vendor's description of permissions needed and why
https://github.com/ruby/setup-ruby

** Provide the Install link for a GitHub app
This isn't an app, but a GitHub Action

https://github.com/actions/setup-ruby is the default action, but you can see GitHub Archived it and points to the one maintained by Ruby core.

Transferring over to :hwine for assessment.

Assignee: nobody → hwine

Ug - the original GitHub version had 49 lines of readable typescript (4,600 loc built)
the ruby version has 832 lines of javascript, which translates to a 54Kloc "action" (yay node) and 11+ releases so far this year.

:claudijd -- will the github version (action/setup-ruby) work for you? I think it still works, but may emit deprecation notices. I suspect the main difference would be in which ruby versions are supported. If that works, that'd be awesome.

If you need ruby/setup-ruby, I can pin the most recent version and we can cross our fingers. If you need to use the latest version, the approach would be for you to vender the action into your repo (and thereby assume all the risk).

Let me know what works for you.

Flags: needinfo?(jclaudius)

I'm going to need the ruby/setup-ruby, but since we don't run a lot of Ruby here, I can probably vendor it without too much trouble.

That said, LOC feels like a poor metric for inclusion, I suspect if Python maintained their action and it was 50K LOC, we would just accept the risk and move on.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jclaudius)
Resolution: --- → WONTFIX

I was able to vendor it without too much trouble: https://github.com/mozilla/ssh_scan/pull/532/

You need to log in before you can comment on or make changes to this bug.