In a blog post yesterday, GitHub announced a change in functionality for GitHub Actions. The intention of this is to help cut down on the abuse of GitHub Actions to mine crypto currency like BitCoin. There’s a reasonable explanation of how this happens, e.g., here.
The main impact for us is this:
[P]ull requests from first-time contributors will require manual approval from a repository collaborator with write access before any Actions workflows run.
Fortunately, this year at least, we’re past the period where GSoC students are just joining the community, which is, generally speaking, when we get the highest volume of new contributors. However, it is something we should be aware of moving forward, especially as this probably puts some burden on /dev/3s and higher (i.e., those with commit access to our repos) to ensure that we allow these builds so that community members will have access to test reports, coverage reports, and other build information when reviewing PRs.
Although I haven’t noticed anyone trying to abuse any of the OMRS CI for cryptomining, it’s also worth-while to be on the lookout for PRs that adjust the CI builds and that are not from trusted community members.