Template mega-linter.yml does not work on private github org which allows only actions from verified creators

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.

https://megalinter.io

GNU Affero General Public License v3.0

1.89k stars 227 forks source link

Template mega-linter.yml does not work on private github org which allows only actions from verified creators #3846

Closed Jiri-Stary closed 1 month ago

Jiri-Stary commented 1 month ago

Describe the bug

peter-evans/create-pull-request@v6 and stefanzweifel/git-auto-commit-action@v4 are not allowed to be used in [ github organization name]

To Reproduce

add the template mega-linter.yml to repository in private github org
the repo belongs to organization which is setup to only allow actions from verified creators
the template fails on included actions which are not from verified creators

Expected behavior

Have a way to auto-create pull requests with this limitation

nvuillam commented 1 month ago

@Jiri-Stary unfortunately we are not the authors if such actions.

Dear @peter-evans , @stefanzweifel , by any chance is it in your roadmap to apply to GitHub Publisher Verification ? :)

Meanwhile @Jiri-Stary you have no other choices than commenting these steps :/

stefanzweifel commented 1 month ago

I would love to apply for Publisher Verification, but this is only available for organizations and not individual user accounts. Peter and I would have to migrate our actions to an organizations and then apply for Publisher Verification.

Repos can be transfered to other organizations, ~~but I don't know if this would break existing workflows or if Actions is clever enough and would detect the redirects.~~

Edit: Seems GitHub would support the transfer natively in Actions: https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace#transferring-an-action-repository

peter-evans commented 1 month ago

The doc that @nvuillam linked to has a note at the top:

Note: This article applies to publishing apps in GitHub Marketplace only. For more information about publishing GitHub Actions in GitHub Marketplace, see "Publishing actions in GitHub Marketplace."

I think this is the relevant section about getting the blue check on actions:

Actions with the (blue check), or verified creator badge, indicate that GitHub has verified the creator of the action as a partner organization. Partners can email partnerships@github.com to request the verified creator badge.

As I understand it, this is not open to any/all organizations that apply for it. You need to have an existing partnership with GitHub. I could be wrong, but that's what I take from these docs and reading around a bit.

A possible workaround for orgs that restrict to verified actions is just to fork the action into the org and use your own version of it.

nvuillam commented 1 month ago

@stefanzweifel @peter-evans many thanks for your quick responses :)

@Jiri-Stary it seems that for now your best options are:

forking actions in private repos and use them
Do not use them, but that could be ok to still have an efficient MegaLinter
- About the auto-commit, you can do the same by manually copy-pasting the folder updated-sources in MegaLinter artifact

echoix commented 1 month ago

Maybe also manually commit and push, and use something like the gh cli to do the operations manually?

nvuillam commented 1 month ago

Maybe also manually commit and push, and use something like the gh cli to do the operations manually?

It's more work but indeed it will work too !