-
-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dealing with workflow execution restriction following enforcement of more stringent security rules #256
Comments
Some questions:
Overall the "Read" permission is probably fine and low risk. It's more about guidelines for JupyterLab maintainers for how to manage that list. |
What about as soon as they open a second PR? So we don't add one shot contributors.
Definitely better to use a team as it is easier to manage and to audit for security.
That one is always tricky. We could set up a job like we do for the council with a rule like every six months, list regular contributors who haven't contribute in the last six months. Then we could remove those. |
Ah, I just saw that it is not only that non-members cannot invoke the update, but it cannot be invoked even by members on non-member PRs. I think this needs to be changed. For example see: jupyterlab/jupyterlab#16341 with https://github.com/jupyterlab/jupyterlab/actions/runs/10330748123/job/28600154607 |
Description
Follow-up of #251 (comment)
I looked at how best handle the current situation that prevents the update job to be executed on non-member PRs. It looks like the easiest would be to create a team with Read access (aka nothing more than what you can do on public repo) in which we invite trusted contributor as outside collaborator.
For example I invited a GSoC contributor for test purpose (should be dropped at the end of this meeting if the approach is deemed wrong):
image
Then on jupyterlab/jupyterlab#16438 (comment), the first update snapshot comment failed (she was not yet a collaborator). The second passed (she accepted the invitation).
The text was updated successfully, but these errors were encountered: