Random GitHub Actions added to git/git???

Random GitHub Actions added to git/git???

[Junio C Hamano]

This is only of interest to those who interact with the mirror of
the public repository at GitHub, but anyway.

I was browsing https://github.com/git/git/actions and noticed that
there are many "workflows", even though what we have in our source
tree in .github/workflows/ define only two of them (which I consider
"officially sanctioned ones").

I suspect that these other ones come from "pull requests" random
people threw at us that never hit our tree, with changes to the
.github/workflows/ directory in these PR.

I find them quite distracting.

Is this something the hosting site (GitHub) considers normal and
helpful to the projects they host?  Is there an easy knob to disable
those other than what we have in our tree?

Thanks.

Re: Random GitHub Actions added to git/git???

[Taylor Blau]

On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote:
> I suspect that these other ones come from "pull requests" random
> people threw at us that never hit our tree, with changes to the
> .github/workflows/ directory in these PR.
>
> I find them quite distracting.

That's what I'd expect, too, but I'm not sure. I asked the people who
would know, and I'll reply back here once I have an answer.

> Thanks.

Thanks,
Taylor

Re: Random GitHub Actions added to git/git???

[Bagas Sanjaya]

On 20/04/21 07.29, Junio C Hamano wrote:
> I was browsing https://github.com/git/git/actions and noticed that
> there are many "workflows", even though what we have in our source
> tree in .github/workflows/ define only two of them (which I consider
> "officially sanctioned ones").
> 
> I suspect that these other ones come from "pull requests" random
> people threw at us that never hit our tree, with changes to the
> .github/workflows/ directory in these PR.

They are Actions jobs triggered by GitGitGadget PRs. For example,
job [1] corresponds to patchset [2].

[1]: https://github.com/git/git/actions/runs/763138085
[2]: https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/

-- 
An old man doll... just what I always wanted! - Clara

Re: Random GitHub Actions added to git/git???

[Johannes Schindelin]

Hi Junio,

On Mon, 19 Apr 2021, Junio C Hamano wrote:

> I was browsing https://github.com/git/git/actions and noticed that
> there are many "workflows", even though what we have in our source
> tree in .github/workflows/ define only two of them (which I consider
> "officially sanctioned ones").

If you are referring to the "Codacy Security Scan" things and alike, I
saw them, too, and I think it was a single contributor who opened PRs
adding those workflows.

If you click on one of them (such as above-mentioned "Codacy Security
Scan"), you will see that "This workflow run has been marked as
disruptive" (see for yourself at
https://github.com/git/git/actions/workflows/codacy-analysis.yml).

It is a bit sad that those are still shown at all, but I think it's just a
matter of time until they vanish.

Ciao,
Dscho

Re: Random GitHub Actions added to git/git???

[Johannes Schindelin]

Hi Bagas,

On Tue, 20 Apr 2021, Bagas Sanjaya wrote:

> On 20/04/21 07.29, Junio C Hamano wrote:
> > I was browsing https://github.com/git/git/actions and noticed that
> > there are many "workflows", even though what we have in our source
> > tree in .github/workflows/ define only two of them (which I consider
> > "officially sanctioned ones").
> >
> > I suspect that these other ones come from "pull requests" random
> > people threw at us that never hit our tree, with changes to the
> > .github/workflows/ directory in these PR.
>
> They are Actions jobs triggered by GitGitGadget PRs.

No, they are not. From GitGitGadget's own home page at
https://gitgitgadget.github.io/:


	But... what is GitGitGadget?

	GitGitGadget itself is a GitHub App that is backed by an Azure
	Function written in pure Javascript which in turn triggers an
	Azure Pipeline written in Typescript (which is really easy to
	understand and write for everybody who knows even just a little
	Javascript), maintained at
	https://github.com/gitgitgadget/gitgitgadget.

In other words, GitGitGadget uses Azure Pipelines, not GitHub Actions.

> For example, job [1] corresponds to patchset [2].
>
> [1]: https://github.com/git/git/actions/runs/763138085

This has nothing to do with GitGitGadget, it is the regular
`check-whitespace.yml` check from our very own
`.github/workflows/check-whitespace.yml`.

Ciao,
Johannes

> [2]:
> https://lore.kernel.org/git/pull.847.v7.git.git.1618832276.gitgitgadget@gmail.com/

Re: Random GitHub Actions added to git/git???

[Taylor Blau]

On Mon, Apr 19, 2021 at 08:41:32PM -0400, Taylor Blau wrote:
> On Mon, Apr 19, 2021 at 05:29:36PM -0700, Junio C Hamano wrote:
> > I suspect that these other ones come from "pull requests" random
> > people threw at us that never hit our tree, with changes to the
> > .github/workflows/ directory in these PR.
> >
> > I find them quite distracting.
>
> That's what I'd expect, too, but I'm not sure. I asked the people who
> would know, and I'll reply back here once I have an answer.

The answer is that every workflow that was run in either (a) any branch
of a repository, or (b) in any pull requests against that repository
will show up in that list.

As Dscho noted lower in the thread, all of the ones on git/git are spam.
From my conversation with the Actions folk, it sounds like we don't hide
these currently, but they are planning on doing it soon. So they will
disappear eventually, but not before it's implemented.

Hope that helps.

Thanks,
Taylor

Re: Random GitHub Actions added to git/git???

[Junio C Hamano]

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> If you click on one of them (such as above-mentioned "Codacy Security
> Scan"), you will see that "This workflow run has been marked as
> disruptive" (see for yourself at
> https://github.com/git/git/actions/workflows/codacy-analysis.yml).

Yes, I was the one who "manually disabled" some of them.  I did not
find how to mark them "as disruptive", though.

How well are our refs protected from these random "Actions"?  Can
somebody spam us with a pull request with a new "workflow" that
advances one of our integration branches ;-)?

Re: Random GitHub Actions added to git/git???

[Johannes Schindelin]

Hi Junio,

On Tue, 20 Apr 2021, Junio C Hamano wrote:

> Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:
>
> > If you click on one of them (such as above-mentioned "Codacy Security
> > Scan"), you will see that "This workflow run has been marked as
> > disruptive" (see for yourself at
> > https://github.com/git/git/actions/workflows/codacy-analysis.yml).
>
> Yes, I was the one who "manually disabled" some of them.  I did not
> find how to mark them "as disruptive", though.
>
> How well are our refs protected from these random "Actions"?  Can
> somebody spam us with a pull request with a new "workflow" that
> advances one of our integration branches ;-)?

The GITHUB_TOKEN that is used by the GitHub workflows is generated in two
ways, depending whether a PR originated from the same repository or from a
fork. If it came from a fork, the token has only read permissions.

So I'd say we're still safe.

Ciao,
Dscho

Re: Random GitHub Actions added to git/git???

[Junio C Hamano]

Johannes Schindelin <Johannes.Schindelin@gmx.de> writes:

> On Tue, 20 Apr 2021, Junio C Hamano wrote:
>
>> How well are our refs protected from these random "Actions"?  Can
>> somebody spam us with a pull request with a new "workflow" that
>> advances one of our integration branches ;-)?
>
> The GITHUB_TOKEN that is used by the GitHub workflows is generated in two
> ways, depending whether a PR originated from the same repository or from a
> fork. If it came from a fork, the token has only read permissions.
>
> So I'd say we're still safe.

Yeah, their blog post came to my inbox, which was quite timely, this
morning ;-).

https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/