Closed Bug 1866150 Opened 2 years ago Closed 2 years ago

Assess use of external GitHub action golangci/golangci-lint-action in Mozilla's GitHub organization mozilla-services

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cbguder, Assigned: cknowles)

Details

(Whiteboard: [sec-input-needed])

I want to use the GitHub Action golangci/golangci-lint-action in mozilla-services for the following reasons:

The Ads team is creating a new Go service in the repo https://github.com/mozilla-services/mars. We would like to use golangci-lint in Github Actions to run linters on the codebase. While it is possible to run the tool without the Github Action, the action makes it more convenient.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
https://github.com/mozilla-services/mars, https://github.com/mozilla-services/fake-ad-server, and future Go repositories we may create.

** Are any of those repositories private?

Yes

** Provide link to vendor's description of permissions needed and why

The action only needs contents: read and pull-requests: read

** Provide the Install link for a GitHub app
N/A

Alright - looking here the action is not on the list of previously vetted actions by Security.

Setting an NI for them, and we'll get their verdict as soon as possible (with US thanksgiving holidays and PTO around that, it may be more delayed than normal)

Hal, Austin - Let me know if you need anything here.

Flags: needinfo?(hwine)
Flags: needinfo?(asargent)
Whiteboard: [sec-input-needed]

@hwine Any update on this, anything we can do to help?

(In reply to cbguder from comment #2)

@hwine Any update on this, anything we can do to help?

Thanks for offering! I'll transfer all my standing meetings to you! 😉 Just been buried in other stuff.

This is one of those actions where Mozilla would benefit from having a formal "golang center of excellence" who could opine on the strength and stability of the team behind the action. Reading the tea leaves, this seems to be well accepted in the community, and has a large number of maintainers, so it's a "go" at any version for this action.

Chris: I'll follow up with a PR, but golangci/golangci-lint-action@* is okay

Can: I couldn't tell from a quick scan if the action has an option to modify the source. We'd prefer an "annotation only" approach, and have humans make the changes, to ensure there's no skipping a "human review" of code before landing to production.

Flags: needinfo?(hwine)
Flags: needinfo?(cknowles)
Flags: needinfo?(cbguder)
Flags: needinfo?(asargent)

Alright - golangci/golangci-lint-action@* has been added to the mozilla-services org.

Leaving this open for the moment based on the NI's in play.

Flags: needinfo?(cknowles)
Assignee: nobody → cknowles

Thank you! The action does not currently have an option to modify the source.

Flags: needinfo?(cbguder)

And I think that answer's Hal's question - only concern would be if it gets that feature in a future release, we've enabled all versions, so it'd be up to the users to avoid the pitfalls.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.