...
UTC time 1700 hrs
Meeting space meet.apache.org - https://meet.apache.org/buildsmeeting20210114
Backup meeting space - TBA http://meet.google.com/mfq-gajx-wmt - To go to if our Jitsi instance crashes on us.
Attendees (Add your cwiki name below)
...
- Brian Douglas - Github
- Jarek Potiuk
- Kaxil Naik
- Andrew Wetmore
- fluxo Lambertus
- Daniel Gruno
- Dave Grove
- Paul Angus
- Zach Hoffman
- Martin Grigorov Grigorov
Format
The meeting is yours to discuss whatever you want to. Aim to discuss with 'each other' as
in others subscribed to the builds@ mailing list, from your project or from other projects.
...
Item | Who | Notes |
---|---|---|
Action Items from last meeting | ||
Github Environments | Gavin McDonald | |
Daily Statistics - At least daily snapshots if not live updates for things like, how many runners we have in use, which project is using them, how many minutes / hours a build takes etc. Is there an ETA to make this stats available via a Public API? | Gavin McDonald | |
GitHub Actions | Brian Douglas | |
(Github Actions) Performance + related -> self-hosted runners for public repos. We badly need to be able to run securely self-hosted runners for our repos but we can not because it's not secure for builds run from forks (anyone can inject any of their code in a PR). We proposed a PR to GA runner (beginning of November) to allow configuration to limit the self-hosted runners to only allow jobs from committers/main repo - but not allow them for forks. That would solve the vast majority of the issues as we have funding for the self-hosted runners. We can run our own "fork" of the runners (we are actually building this capability), however, we have to go through extra hoops (including automated rebasing of our changes on top of latest changes from GitHub) but this is not a stable solution and we do not know if it is secure enough. We need GitHub approved solution and we are willing to have only a subset of the jobs run there. We would love to have a GitHub 'blessed' solution. | https://github.com/actions/runner/pull/783 | |
(Github Actions) Security vulnerabilities reported via bounty.github.com ( I do not want to describe details at public page) We reported two security vulnerabilities that we think are in Github Actions. The issues caused infrastructure to disable parts of Github Actions functionalities for all ASF projects, but some of us think those are issues that are affecting not only ASF projects but others as well. We would love to hear if GitHub acknowledges those issues and what are the plans about it. | ||
Corollary to above - can self hosted runners exfiltrate org-wide Actions secrets? | fluxo Lambertus | |
Enabling Github Container Registry We keep on getting random errors when we push images to GitHub Psckage Registry related to manifest version (they cause pushed images are unusable). This has been reported in the past to GitHub support and the answer we got that those are inherent problems with Github Package Registry which is essentially deprecated and we should migrate to the new Github Container Registry which has better infrastructure and is now a recommended solution as per this blog. In order to get a stable CI we need to have also stable container registry as this is essential for build optimizations we implemented. The INFRA-20959 has all the details. Is there anything stopping INFRA from enabling the registry and is it really the only solution from GitHub that we can get. UPDATE. This problem started to hit us hard today. Even with self-hosted runners we try and with implementing some workaround, we have every workflow has at least one job failing today on pushing to GitHub Registry. GitHub support acknowledged the issue and looking at it, so there is hope I will be able to tell more about it at the meeting. | https://issues.apache.org/jira/projects/INFRA/issues/INFRA-20959 Support@GitHub ticket: https://support.github.com/ticket/personal/0/982113 (personal, only Jarek Potiuk has access). | |
Better/smarter GHA allow/deny lists It would be helpful for our organization if we could set a rule that all external action references (allowed ones like actions/* and apache/* aside) had to be pinned to their 40-char SHA hash. Currently we are only able to sort of pin with an experimental cropped glob, so either allowing longer globs or having a shortcut for "a 40 character hexadecimal value" would be appreciated greatly. | ||
On the topic of GHA allow/deny lists, allowing Docker images that are pinned to a hash. Example pattern: docker://*@sha256:* | Zach Hoffman | |
Plans for adding ARM64 builder nodes ?! | Martin Grigorov Grigorov | https://github.com/github/roadmap/issues/95 mentioned ARM64 for some time, then it has been edited and ARM64 is no more there. https://github.com/github/roadmap/issues/169 seems to be the new issue but it has been closed on the same day when it was opened. |
Speaking of Foundation needs, this might be a good visualisation showing current state of all ASF projects using Github Actions:
...