Closed Bug 1917045 Opened 5 months ago Closed 5 months ago

Assess use of external addon android-actions/setup-android in Mozilla's GitHub organization application-services

Categories

(mozilla.org :: Github: Administration, task)

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: bgruber, Unassigned)

Details

I want to use the android-actions/setup-android addon in mozilla/application-services for the following reasons:

We need to build Android/Kotlin documentation via the CI/CD workflow. We need to install the Android toolkit to generate the documentation Dokka.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
application-services

** Are any of those repositories private?
No

** Provide link to vendor's description of permissions needed and why
https://github.com/android-actions/setup-android

** Provide the Install link for a GitHub app
https://github.com/android-actions/setup-android

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

Alright, this is not a previously approved action in the https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/GitHub_Actions.md list, so we need security to take a look and weigh in with questions/concerns.

Hal, Clovis, Antony - please take a look, ask any needed questions.

Flags: needinfo?(hwine)
Flags: needinfo?(cfoji)
Flags: needinfo?(anrivera)

Thanks Chris! Just FYI, I am not stuck on this particular Android action. So if we in the past approved alternative Android actions, I am fine with them too.

I don't see anything in that list with "Android" in it - so whatever the path - it'd likely need the security scrutiny.

Hey Chris! Is there an ETA on this one? I might have to find a workaround if the security screening takes longer and then add the action after if it is approved!

I'll remind security folk about this - and it's on the github team agenda to mention today. But I have no information as to timing.

(In reply to Bastian Gruber from comment #0)

I want to use the android-actions/setup-android addon in mozilla/application-services for the following reasons:

We need to build Android/Kotlin documentation via the CI/CD workflow. We need to install the Android toolkit to generate the documentation Dokka.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
application-services

** Are any of those repositories private?
No

** Provide link to vendor's description of permissions needed and why
https://github.com/android-actions/setup-android

** Provide the Install link for a GitHub app
https://github.com/android-actions/setup-android

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

@Bastian Gruber
i looked at https://github.com/android-actions/setup-android but did not find the permissions which the action is using, can you point me to the specific section describing the permissions?

Flags: needinfo?(cfoji)

Setting the Needinfo field for Bastian - Bugzilla doesn't do @ notices.

Flags: needinfo?(bgruber)

There are no special permissions needed. Instead of using the action, I manually created the step: https://github.com/mozilla/application-services/blob/main/.github/workflows/build-docs.yaml#L98-L123

The repository has a 3k+ LOC JavaScript file, one might have to go through to check what it is doing exactly?

So if this is a blocker, we can work around that with a manual installation for Android.

Flags: needinfo?(bgruber)

Bastien - a couple of questions that might simplify the scope for us. I'm not an Android developer, so these may be silly questions.

  • We build lots of android products (granted, many in Taskcluster) -- how are the GitHub built products handling this? (i.e. any reason not to do what they've done?)

  • Are there any other repos that will need this behavior? (If it's just application-services, and your 25 lines does the work of 3k lines, that may be reduced risk. If other repos need it, maybe package your 25 lines as an action?)

Thanks!

Flags: needinfo?(hwine) → needinfo?(bgruber)

Great questions! I am also not an Android developer, but I needed to have the Android SDK installed to build documentation.

  • I checked and I couldn't find any pre-used Android workflow. I think GitHub Actions is quite new to the company, and most of the CI runs with CircleCI.

  • I am not sure if they will right now. Since we are moving more to GitHub Actions in the future, I am certain others will run into the same issue.

But for now, I am fine with keeping our hand rolled Android SDK installation. Once more companies need the same, we can think about packaging it up into our own GH Action Workflow.

Flags: needinfo?(bgruber)

Bastian: Thanks! Sounds like a plan

For future reference, it looks like we've used the shortcut method in the past -- although almost all android builds are done via taskcluster. code search

Closing for now.

Status: NEW → RESOLVED
Closed: 5 months ago
Flags: needinfo?(anrivera)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.