Open Bug 2009752 Opened 1 day ago Updated 21 hours ago

Assess use of external action peter-evans/create-pull-request in Mozilla's GitHub organization mozillasecurity

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

People

(Reporter: jkratzer, Assigned: cknowles, NeedInfo)

Details

I want to use the create-pull-request App/Action in MozillaSecurity for the following reasons:
We have several repositories that rely on static data that is routinely updated. This is currently handled via Taskcluster hooks but due to the removal of NPM classic tokens, we would like to move this to github workflow.

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
https://github.com/MozillaSecurity/gridl/
https://github.com/MozillaSecurity/gr.css.reports

** Are any of those repositories private?
Both are private.

** Provide link to vendor's description of permissions needed and why, or general documentation link for either the app or action
https://github.com/marketplace/actions/create-pull-request

updated title to better reflect the request for the peter-evans/create-pull-request action to be enabled in the mozillasecurity org.

verified that this action is not in the list of pre-approved actions - and thus referring to security to review and ask questions.

Clovis/Sandeep - questions/comments/approvals?

Assignee: nobody → cknowles
Flags: needinfo?(sseehra)
Flags: needinfo?(cfoji)
Summary: Assess use of external addon NAME_HERE in Mozilla's GitHub organization ORG_NAME_HERE → Assess use of external action peter-evans/create-pull-request in Mozilla's GitHub organization mozillasecurity

@jkratzer does this action also include "Auto-merge" functionality? Is there any way to disable that feature?

Flags: needinfo?(sseehra)
Flags: needinfo?(jkratzer)
Flags: needinfo?(cfoji)
You need to log in before you can comment on or make changes to this bug.