Assess use of external action `astral-sh/setup-uv` in Mozilla's GitHub organization `mozilla`
Categories
(mozilla.org :: Github: Administration, task)
Tracking
(Not tracked)
People
(Reporter: flod, Assigned: cknowles)
Details
I would like to use the astral-sh/setup-uv action in mozilla for the following reasons:
uvprovides better performances when installing Python packages compared topip, and reduces the number of dependencies, as it replacespip,pip-compile(frompip-tools), andvirtualenv.- While there are other ways to install
uvin a GitHub workflow, this action has the added benefit of providing directly a cache system.
Which repositories do you want to have access?
https://github.com/mozilla/pontoon
Potentially other l10n-related repositories once we had a chance to test it extensively.
Are any of those repositories private?
No
Provide link to vendor's description of permissions needed and why
The action's code is here: https://github.com/astral-sh/setup-uv/tree/main
Astral is the company behind Ruff (Python linter), which is already used in mozilla-central.
The bug where uv was discussed is bug 1881301.
|
Assignee | |
Comment 1•1 year ago
|
||
As this action isn't in the list of pre-approved actions here I need to refer this to security so they can take a look and approve.
Clovis/Antony, please take a look, ask any questions, and if approved, please let us know the specific action string approved, as well as if the plan is to add it to the pre-approved list.
@cknowles, no concerns with this GitHub Action as well. Did a couple of vulnerability scans on to double check and the results are 0 vulnerabilities so that's reassuring. Approved.
PR is at https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/pull/71.
Approved string is astral-sh/setup-uv@*
|
|
Assignee | |
Comment 3•1 year ago
|
||
Alright, I've added the action to Mozilla org - please reopen if there's a problem.
Description
•