Assess use of external Github action kewisch/action-web-ext@v1 in Mozilla's GitHub organization mozilla
Categories
(mozilla.org :: Github: Administration, task)
Tracking
(Not tracked)
People
(Reporter: mkaply, Unassigned)
References
Details
I want to use the kewisch/action-web-ext@v1 addon in mozilla for the following reasons:
To sign a web extension
** Which repositories do you want to have access? (all or list)
https://github.com/mozilla/companion
** Are any of those repositories private?
No
** Provide link to vendor's description of permissions needed and why
https://github.com/kewisch/action-web-ext
** Provide the Install link for a GitHub app
|
||
Comment 1•2 years ago
|
||
Alright, Thank you for that data - Forwarding to Secops for their approval.
Secops - let us know if you have questions.
|
||
Comment 2•2 years ago
|
||
Hi :mkaply, is this action going to be used in just https://github.com/mozilla/companion or are there other repos this action is needed? The reason I ask is because repo owners can use actions as they'd like within individual repos, but when it comes to approvals for GHE admins, we are more focused on allowing/disallowing actions for whole organizations. I will be asking the same question for 1837488 assuming there may be a difference between the two requests out of caution.
|
|
||
Comment 3•2 years ago
|
||
to clarify Austin's point about using the action within the repo - you'd have to copy the action into the repo. This would prevent the action from tracking any updates that the author makes, and depending on action licensing may be a concern.
|
Reporter | |
Comment 4•2 years ago
|
||
I was only going to use it in the repo.
I didn't realize there was a way to copy it into the repo.
I'll do that.
|
|
Reporter | |
Comment 5•2 years ago
|
||
Is there any documentation on how to copy an action into a repo? I've search and found nothing.
It might be worth reporting a bug to Github that the error isn't very good:
The error message says:
notiz-dev/github-action-json-property@release and kewisch/action-web-ext@v1 are not allowed to be used in mozilla/companion. Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub, or matching the following: !/mozilla/, !mozilla/, ./**, 10up/wpcs-action@, aws-actions/, docker/, pypa/gh-action-pypi-publish@v1.4.2, slackapi/slack-github-action@, google-github-actions/, erlef/setup-beam@v1, yesolutions/mirror-action@, codecov/codecov-action@, tj-actions/changed-files@, tj-actions/glob@, vmactions/freebsd-vm@v0, actions-rs/toolchain@v1, shivammathur/setup-php@, EmbarkStudios/, dependabot/fetch-metadata@, ilammy/msvc-dev-cmd@v1*, canonical/actions/, canonical/setup-lxd@, dtolnay/rust-toolchain@*.
And I guess this part:
Actions in this workflow must be: within a repository that belongs to your Enterprise account,
is a little confusing. I wish Github had said "your repository"
some lore on this:
- If this addon is mozilla written, it likely should be in the Mozilla-Extensions org
- deets known by releng, but here's where you can get it badged as "written by mozilla" in AMO
- GitHub action permissions are, indeed, confusing. It's a "mini npm" ☹️
- what was being suggested was that you vendor in the action to
.github/actions/(see last paragraph here)
- what was being suggested was that you vendor in the action to
|
|
Reporter | |
Comment 7•2 years ago
|
||
If this addon is mozilla written, it likely should be in the Mozilla-Extensions org
I didn't realize there was a mozilla-extensions org.
I put it in mozilla because it's really an internal use addon (but source will be public)/
|
|
Reporter | |
Comment 8•2 years ago
|
||
I think mozilla-extensions is for line extensions? Like special signature and build process?
|
|
Reporter | |
Comment 9•2 years ago
|
||
Using git submodule seems to work, so I don't need this for the whole repo.
Description
•