Assess use of external addon android-actions/setup-android in Mozilla's GitHub organization application-services
Categories
(mozilla.org :: Github: Administration, task)
Tracking
(Not tracked)
People
(Reporter: bgruber, Unassigned)
Details
I want to use the android-actions/setup-android addon in mozilla/application-services for the following reasons:
We need to build Android/Kotlin documentation via the CI/CD workflow. We need to install the Android toolkit to generate the documentation Dokka.
Below are my answers to your stock questions:
** Which repositories do you want to have access? (all or list)
application-services
** Are any of those repositories private?
No
** Provide link to vendor's description of permissions needed and why
https://github.com/android-actions/setup-android
** Provide the Install link for a GitHub app
https://github.com/android-actions/setup-android
NOTE
Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.
Comment 1•5 months ago
|
||
Alright, this is not a previously approved action in the https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/GitHub_Actions.md list, so we need security to take a look and weigh in with questions/concerns.
Hal, Clovis, Antony - please take a look, ask any needed questions.
Reporter | ||
Comment 2•5 months ago
•
|
||
Thanks Chris! Just FYI, I am not stuck on this particular Android action. So if we in the past approved alternative Android actions, I am fine with them too.
Comment 3•5 months ago
|
||
I don't see anything in that list with "Android" in it - so whatever the path - it'd likely need the security scrutiny.
Reporter | ||
Comment 4•5 months ago
|
||
Hey Chris! Is there an ETA on this one? I might have to find a workaround if the security screening takes longer and then add the action after if it is approved!
Comment 5•5 months ago
|
||
I'll remind security folk about this - and it's on the github team agenda to mention today. But I have no information as to timing.
Comment 6•5 months ago
|
||
(In reply to Bastian Gruber from comment #0)
I want to use the android-actions/setup-android addon in mozilla/application-services for the following reasons:
We need to build Android/Kotlin documentation via the CI/CD workflow. We need to install the Android toolkit to generate the documentation Dokka.
Below are my answers to your stock questions:
** Which repositories do you want to have access? (all or list)
application-services** Are any of those repositories private?
No** Provide link to vendor's description of permissions needed and why
https://github.com/android-actions/setup-android** Provide the Install link for a GitHub app
https://github.com/android-actions/setup-androidNOTE
Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.
@Bastian Gruber
i looked at https://github.com/android-actions/setup-android but did not find the permissions which the action is using, can you point me to the specific section describing the permissions?
Comment 7•5 months ago
|
||
Setting the Needinfo field for Bastian - Bugzilla doesn't do @ notices.
Reporter | ||
Comment 8•5 months ago
|
||
There are no special permissions needed. Instead of using the action, I manually created the step: https://github.com/mozilla/application-services/blob/main/.github/workflows/build-docs.yaml#L98-L123
The repository has a 3k+ LOC JavaScript file, one might have to go through to check what it is doing exactly?
So if this is a blocker, we can work around that with a manual installation for Android.
Bastien - a couple of questions that might simplify the scope for us. I'm not an Android developer, so these may be silly questions.
-
We build lots of android products (granted, many in Taskcluster) -- how are the GitHub built products handling this? (i.e. any reason not to do what they've done?)
-
Are there any other repos that will need this behavior? (If it's just application-services, and your 25 lines does the work of 3k lines, that may be reduced risk. If other repos need it, maybe package your 25 lines as an action?)
Thanks!
Reporter | ||
Comment 10•5 months ago
|
||
Great questions! I am also not an Android developer, but I needed to have the Android SDK installed to build documentation.
-
I checked and I couldn't find any pre-used Android workflow. I think GitHub Actions is quite new to the company, and most of the CI runs with CircleCI.
-
I am not sure if they will right now. Since we are moving more to GitHub Actions in the future, I am certain others will run into the same issue.
But for now, I am fine with keeping our hand rolled Android SDK installation. Once more companies need the same, we can think about packaging it up into our own GH Action Workflow.
Comment 11•5 months ago
|
||
Bastian: Thanks! Sounds like a plan
For future reference, it looks like we've used the shortcut method in the past -- although almost all android builds are done via taskcluster. code search
Closing for now.
Description
•