search

rust-unofficial / patterns

A catalogue of Rust design patterns, anti-patterns and idioms
https://rust-unofficial.github.io/patterns/
Mozilla Public License 2.0
7.85k stars 354 forks source link

Replace external actions in CI #244

Closed simonsan closed 1 year ago

simonsan commented 3 years ago

As preparation for a possible inclusion into rust-lang we should replace the external actions we use with e.g. scripts that do the same.

https://github.com/rust-lang/std-dev-guide/pull/7#issuecomment-770317395

That PR also shows how that could be done: https://github.com/rust-lang/std-dev-guide/pull/7/files

MarcoIeni commented 3 years ago

I think I would do it only immediately before moving the book under rust-lang. Implementing all the actions by ourselves means that we have to maintain them in the meantime. For now we can save that effort.

Furthermore, I am not sure that all the repositories under rust-lang are not using external actions. This is just an example. We need to ask clarifications about this.

So for the moment I would close this issue.

simonsan commented 3 years ago

I think it's actually important to not close this. Also in the PR I did I showed how to do it without external actions. We don't need to reimplement actions ourselves. A bit of copy & pasting from the PR and a bit of own work and this should be fine.

MarcoIeni commented 3 years ago

Yeah, the problem with copy pasting is that you have to maintain it. From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

simonsan commented 3 years ago

From a security point of view, what's the difference with fixing the version of the github action with the release version or the commit hash for example?

I don't understand that question, could you rephrase it please? I mean a Github action has access to environment variables, if this will make it into rust-lang they sure want to keep track of which actions have access to these and that there are no malicious one's under it. To check/code review each of those actions is also a bit much, no?

MarcoIeni commented 2 years ago

I don't understand that question, could you rephrase it please?

Isn't copy pasting source code the same as using a specific commit?

simonsan commented 1 year ago

I think with installing mdbook and other dependencies from scratch via Cargo, the only external GH actions we pull in are either from GH themselves, dprint or the markdown-link-check. With that being said, I think we can close this issue, as we have already toned it down quite well.