GitHub Actions and First Time Committers

Tags: #<Tag:0x00007f60062ba580> #<Tag:0x00007f60062ba3a0>

In a blog post yesterday, GitHub announced a change in functionality for GitHub Actions. The intention of this is to help cut down on the abuse of GitHub Actions to mine crypto currency like BitCoin. There’s a reasonable explanation of how this happens, e.g., here.

The main impact for us is this:

[P]ull requests from first-time contributors will require manual approval from a repository collaborator with write access before any Actions workflows run.

Fortunately, this year at least, we’re past the period where GSoC students are just joining the community, which is, generally speaking, when we get the highest volume of new contributors. However, it is something we should be aware of moving forward, especially as this probably puts some burden on /dev/3s and higher (i.e., those with commit access to our repos) to ensure that we allow these builds so that community members will have access to test reports, coverage reports, and other build information when reviewing PRs.

Although I haven’t noticed anyone trying to abuse any of the OMRS CI for cryptomining, it’s also worth-while to be on the lookout for PRs that adjust the CI builds and that are not from trusted community members.

@dev3 @dev4 @dev5

10 Likes

thanks @ibacher for bring this

Thanks @ibacher !

Would this be something beyond the normal step of reviewing, approving, and merging a first-time contributors PR?

I think the downside for us (and first-time contributors) will be automated tests won’t run to provide feedback to the committer that their PR is good (tests passing). Similarly, we won’t be able to tell that whether or new PR is ready for review until those tests are run. A /dev/3+ will need to “touch” each PR request or change to a PR request every time before the tests will run. :confused:

2 Likes

Thanks for sharing this @ibacher