Closed Bug 1883011 Opened 2 years ago Closed 2 years ago

Assess use of external addon thollander/actions-comment-pull-request in Mozilla's GitHub organization mozilla/neqo

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: leggert, Assigned: cknowles)

Details

I want to use the https://github.com/thollander/actions-comment-pull-request addon in mozilla/neqo for the following reasons:

Reflecting CI information back into the GitHub PR discussion.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

mozilla/neqo

** Are any of those repositories private?

no

** Provide link to vendor's description of permissions needed and why

https://github.com/thollander/actions-comment-pull-request?tab=readme-ov-file#permissions

** Provide the Install link for a GitHub app

https://github.com/thollander/actions-comment-pull-request

Summary: Assess use of external addon NAME_HERE in Mozilla's GitHub organization ORG_NAME_HERE → Assess use of external addon thollander/actions-comment-pull-request in Mozilla's GitHub organization mozilla/neqo

Alright - forwarding to our security folk to take a look and ask questions.

Hal/Clovis - please let us know your thoughts.

Flags: needinfo?(hwine)
Flags: needinfo?(cfoji)

Thanks! And sorry for the recent flood of requests - trying to modernize our CI.

No apologies, it's what we're here for. Though if a more systemic conversation with secops would help get things solved in a meeting - I'm sure secops would be happy to help. (And while I'm busy volunteering them - I'm happy to attend if GHE admin advice is desired.)

Approved with usual caveats about actions produced by individuals (at least there are multiple collaborators on this one):

Caveats

It is unclear that action is backed by a stable group, so long term supply chain
safety is a concern, therefore:

  • Pin to a version or ref in your workflow references
  • review changes before upgrading
  • do not use in a job where other steps may have cached sensitive data in the workspace.

GHE Admins: this action is okay to install in any org which requests it as thollander/actions-comment-pull-request@*
Please do point the requester to these caveats

Flags: needinfo?(hwine)

Alright, I've updated that. :lars - please be sure to look at Hal's caveats in comment 4, and let us know if there are any problems or concerns.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(cfoji)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.