Closed Bug 1894972 Opened 1 year ago Closed 1 year ago

Assess use of external addon github actions neondatabase/* in Mozilla's GitHub organization mozilla

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jozhou, Unassigned)

Details

I want to use the GH actions neondatabase/create-branch-action@v4 addon in mozilla/blurts-server for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
(Note: This mainly applies to applications. Actions are approved for entire GitHub orgs, though having this info can help security with their analysis)
mozilla/blurts-server

** Are any of those repositories private?
no

** Provide link to vendor's description of permissions needed and why
https://github.com/neondatabase/create-branch-action

** Provide the Install link for a GitHub app
https://github.com/neondatabase/create-branch-action

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

Basically we want to create add a step in our CICD for "review deployment" -- so when a PR opens, we want to spin up a dev environment, with docker to run the app and serverless postgres (neon, thus this gh actions request), so our QAs and take a look before we merge and deploy to prod.
Neon seems like an interesting solution for creating this temporary but complete dev environment for each PR, it's lightweight.

We are in the exploration phase, however, we'd need this enabled to prototype

Flags: needinfo?(jozhou)

Alright - neondatabase is not in our list of pre-approved actions here

So per runbooks I have to ask secops to analyse and ask any needed questions before their approval.

One followup for you - in the title you have "neondatabase/*" ... but in the description, you specify "neondatabase/create-branch-action" ... those are pretty different permissions levels - can I assume you just want the create branch action, or do you need others?

Hal/Clovis, please let us know of any questions or actions.

Flags: needinfo?(hwine)
Flags: needinfo?(cfoji)

Hey Chris, so far I've never tested it (couldn't), so I had to go off of what tutorials say, and that's using "neondatabase/create-branch-action"
I think that should be sufficient right now. Thank you!

Flags: needinfo?(jozhou)

Joe: Have you filed a CASA request yet for NEON yet? I don't see an RRA yet, which is required before we can talk about connecting it into a PoC. (Yes, even if you're using "free" accounts, per legal.)

Flags: needinfo?(jozhou)
Flags: needinfo?(hwine)
Flags: needinfo?(cfoji)

Hal, ah gotcha. Thanks for the tip. I haven't yet. Any idea how long this process usually take? If it takes a long time, I think we'll just opt out and look for alternative solutions

Flags: needinfo?(jozhou)

Setting NI for Hal so he sees comment 4

Flags: needinfo?(hwine)

jozhou: The CASA process is opaque to me -- your manager may have experience with it. The RRA part will depend on workload, but allow at least a week. (Do state any business urgencies in your RRA request to help triage requests.)

Use of pre-approved solutions is always preferred (we've already invested in qualifying the solution). However, we also want to support process improvements. It sounds like NEON might be a good fit for that -- just not an "instant" approval.

Flags: needinfo?(hwine) → needinfo?(jozhou)

Thanks Hal! Let's close this. We've decided to go with another solution.

Flags: needinfo?(jozhou)
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.