Uploaded image for project: 'Beam'
  1. Beam
  2. BEAM-14248

Allow committers only to run GitHub Actions workflows on self-hosted runners

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • P2
    • Resolution: Unresolved
    • None
    • None
    • build-system
    • None

    Description

      Hi everyone, 

      After a meeting held on March 14, 2022 with Gavin McDonald and Jarek Potiuk, we noticed that the implementation of Ash's GitHub Actions Runner [1] would be highly important to have it in the Beam project as well due to security concerns. Ash's version allows us to execute the runners only by approved committers providing us an extra layer of security (this is already implemented in Apache Airflow [2]). 

      Currently and with the GitHub Actions Runner [3], everyone can execute runners and workflows with any restriction as it's a public repo. 

      We highly recommend incorporating this approach to the current implementation

      Thank you!

      [1] https://github.com/ashb/runner 
      [2] https://github.com/apache/airflow-ci-infra/tree/main/github-runner-ami/packer 
      [3] https://github.com/actions/runner 

      Attachments

        Issue Links

          is part of

          Task - A task that needs to be done. BEAM-12812 Run Github Actions on GCP workers in the apache-beam-testing project

          • P2 - Default priority. Will be triaged and planned according to community practices.
          • In Progress

          Activity

            People

              Unassigned Unassigned
              danimartin Daniela Martín
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: