search

erlef / setup-beam

Set up your BEAM-based GitHub Actions workflow (Erlang, Elixir, Gleam, ...)
MIT License
377 stars 50 forks source link

Verify this action in GitHub Marketplace #238

Open petrus-jvrensburg opened 10 months ago

petrus-jvrensburg commented 10 months ago

Depending on a Github organization's security settings, access to actions may be restricted to ones that are "verified in the GitHub Marketplace". Otherwise the workflow exits with a message like:

Error: .github#L1
erlef/setup-beam@v1 is not allowed to be used in MyOrg/my-repo. Actions in this workflow must be: within a repository owned by MyOrg, created by GitHub, or verified in the GitHub Marketplace.

Would it be possible to get this action verified?

paulo-ferraz-oliveira commented 9 months ago

Related: https://github.com/erlef/setup-beam/issues/129

I'm still not sure how we'd go about with a good process for this. I'm Ok with 2FA, though.

@starbelly, thoughts?

starbelly commented 9 months ago

@paulo-ferraz-oliveira Oh, indeed we should get verified. I'll look into this tomorrow.

paulo-ferraz-oliveira commented 9 months ago

We need to:

(I'll keep following the thread)

paulo-ferraz-oliveira commented 8 months ago

For future ref: https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges

There are bullet points there that we'd need to discuss on how to move forward.

petrus-jvrensburg commented 8 months ago

For future ref: https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges

There are bullet points there that we'd need to discuss on how to move forward.

πŸ‘†Anyone against implementing this? Seems like low-hanging-fruit IMHO. Would be great to remove this hurdle to BEAM adoption in corporate environments.

paulo-ferraz-oliveira commented 8 months ago

There's a couple of issues that we need to consider, e.g. I don't have (or at least I don't use) an erlef e-mail, and I'm (at the moment) one of the most active developers and reviewers for this action. I'm assuming such an email is required because of the conditions shown above (and in the documentation).

Am I against your proposal? No, but I still need to check with other people/devs, as this action has no "owner", it's maintained by some interested members of the EEF, me included.

Can I verify ownership of the domain? No, because 1. I don't know what domain we're talking about, 2. I don't own any domain πŸ˜„

If two factor is required for the whole organisation maybe this'll raise questions for many members. (also, is this the member list we're talking about? I can release the action, for example, and I'm not part of the organisation - should I?).

I do agree it seems like low-hanging-fruit (but I did raise some questions as you can see above) but on the other hand this has been requested now only twice by two different people. Is it really hurdling adoption for the whole community (or those yet to adopt Erlang, which would be even more strange to understand?). The other time was here and it got a single πŸ‘ as I stated in the comments.

Has this been discussed in the forums? Or Slack? Have you tried to join an EEF WG to bring it up if it's causing issues? e.g. https://the-eef.slack.com/archives/CUQVCA5K8 maybe with more people involved you can get a better answer (I can't answer for this by myself) and more support for your requirement.

petrus-jvrensburg commented 8 months ago

Thanks for the feedback. Yes, I wasn't aware that the account ownership is unclear.

In general, verifying a GitHub organization is dead simple if you are the account owner and control the domain that you list on the organization's page (for https://github.com/erlef it is https://erlef.org/). It's just a matter of adding a DNS record.

Having a confirmed email address is also not something I would describe as difficult, if the organization's emails are working.

So the only remaining question is about enabling Two-Factor Authentication, which to me seems perfectly natural for the type of account that we're talking about. Yes, it would affect the list of members at https://github.com/orgs/erlef/people, but only those who do not already have 2FA activated on their personal accounts.

Either way... it affects anyone trying to set up a CI/CD pipeline for the first time at a company / org that has the security setting enabled to "restrict actions to ones that are verified in the GitHub Marketplace". From what I can see, the setting can only be flipped for the whole org, affecting all of the repos, which would probably be a no-go in most corporate environments. So my feeling is that not having this action is probably a barrier-to-entry for proof-of-concept / demo type work at bigger organizations, which is the scenario that I was in when raising the issue.

petrus-jvrensburg commented 8 months ago

P.S. In case it helps, here is a run-through that shows where the relevant settings can be found: https://ludwiguer.medium.com/add-a-verified-badge-to-your-github-organization-41391834a16a

tjarratt commented 7 months ago

Just chiming in that I too would love to use this action, but am currently blocked due to the security settings discussed in the description. This would be a real boon to my work.

starbelly commented 3 months ago

Hi all, we are in the process of verification now πŸŽ‰ The final verification request has been sent to github so merely waiting on their response πŸ˜„

petrus-jvrensburg commented 3 months ago

Awesome! Thanks for that 😁

paulo-ferraz-oliveira commented 3 months ago

The erlef org. is now Verified (https://github.com/erlef). That's a step in the right direction πŸ˜„

paulo-ferraz-oliveira commented 3 months ago

I tried publishing a new version of this to the Marketplace to see if it'd show as "creator-verified" but it didn't. I'm not sure there's a job running to identify this, or something else, but we might be missing some more actions, @starbelly.

On the other hand, @petrus-jvrensburg, could you run this under the initial conditions that got you to create the issue, and tell us how it went? (the doc. seems to indicate "Verified" in org. is different from "Verified" in action, but I tested this in another org. and I got βœ…)

starbelly commented 3 months ago

@paulo-ferraz-oliveira The domain is verified, but we are still waiting on overall verification which is a request to github. Presumably this is a manual job, as such I would not expect it to be complete until Monday.

Edit: There may be one other step as well. The articles linked to indicate that it's all related to apps vs actions. We needed to be verified regardless. That said, it links to this page : https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace , which states if you want a badge you need to send in email to partnerships@, since the docs are confusing, I will hold off on this last step until we are verified as a publisher.

starbelly commented 3 months ago

To note we are still waiting, I suppose if I don't hear back by tomorrow, I will send an email.

starbelly commented 3 months ago

Emailed :)

starbelly commented 3 months ago

Got response, next step which I've asked someone else to fill out is a form required for github tech partners.

paulo-ferraz-oliveira commented 3 months ago

Good ol' human trust!

starbelly commented 3 months ago

The process for becoming a tech. partner (which is required to for actions to be verified) has started.

paulo-ferraz-oliveira commented 3 months ago

Good'ol bureaucracy in the works...

paulo-ferraz-oliveira commented 1 week ago

@starbelly, did this ever move forward? Are we waiting for stuff on ErlEF's end or GitHub's?

starbelly commented 1 week ago

@paulo-ferraz-oliveira No, but thanks for the ping. I need to chase someone down.