Closed Bug 1797457 Opened 2 years ago Closed 2 years ago

Assess use of external addon actions-rs/toolchain@v1 in Mozilla's GitHub organization mozilla/source-map

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ochameau, Unassigned)

References

(Blocks 1 open bug)

Details

I want to use the actions-rs/toolchain@v1 action in mozilla/source-map for the following reasons:

I'm currently trying to move existing CI on Travis to Github Actions.
The codebase is using Rust and is compiled to WebAssembly.
We would benefit from using actions-rs/toolchain@v1 in order to build, run and test this library. I'm open to alternative if there is something that doesn't need additional privileged.
https://github.com/mozilla/source-map/pull/465/commits/792c6f3f11f95b342d91b5d4d6fc00125fb14a6c

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

source-map (but I'm already owner of it)

** Are any of those repositories private?

Nothing private here.

** Provide link to vendor's description of permissions needed and why

https://github.com/actions-rs/toolchain

Summary: Assess use of external addon NAME_HERE in Mozilla's GitHub organization ORG_NAME_HERE → Assess use of external addon actions-rs/toolchain@v1 in Mozilla's GitHub organization mozilla/source-map

Note that actions approval affects the entire org - hence the need for secops approval (which I'm setting needinfos for now). If you just need this one repo - you can copy the action in the repo and then you'll have access - but maintaining the version would be a matter of your maintaining the copy, which is why you really would like to link to the external action. I mention this as a possible path that is a) faster, and b) gets around the secops concerns.

I've checked the approved actions list, here, and this isn't in the list of already approved actions. Secops, please let us know the verdict, and what, if any, action string I should be allowing for the Mozilla org.

Flags: needinfo?(hwine)
Flags: needinfo?(asargent)

Thanks for the prompt response and suggested workaround (even if I don't quite understand Github Actions to know how to copy actions-rs/toolchain.).

I imagine it is worth reviewing this action as mozilla uses Rust more and more and we would probably benefit from being able to run CI for Rust codebases easily in a couple of repos.

For example this other repo had to workaround and install rust manually:
https://github.com/mozilla/authenticator-rs/pull/172

Hey :ochameau,

Looking at that PR (https://github.com/mozilla/source-map/pull/465/commits/792c6f3f11f95b342d91b5d4d6fc00125fb14a6c) it appears it may need checkout@v2 as well, which is not currently approved.

With that being said, I am good with the approval for toolchain@v1. It's in wide usage with almost 60k repos, consistent support and open sourced.

:cknowles please allow for toolchain@v1. I will update the approved actions table.

:ochameau once in place, can you attempt to use the action and see if everything is good?

Flags: needinfo?(asargent)

alright, actions-rs/toolchain@v1 added to the action allow list.

Please confirm that things are working as desired?

Flags: needinfo?(hwine) → needinfo?(poirot.alex)

Haven't heard from you :ochameau, is everything working as expected?

Sorry for the late response (was on PTO lately).

Everything works nicely, thanks for promptly enabling the two actions!

https://github.com/mozilla/source-map/actions/runs/3378190584
https://github.com/mozilla/source-map/pull/465

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(poirot.alex)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.