Dealing with workflow execution restriction following enforcement of more stringent security rules #256
Comments
fcollonval
added
bug
|
Some questions:
Overall the "Read" permission is probably fine and low risk. It's more about guidelines for JupyterLab maintainers for how to manage that list. |
What about as soon as they open a second PR? So we don't add one shot contributors.
Definitely better to use a team as it is easier to manage and to audit for security.
That one is always tricky. We could set up a job like we do for the council with a rule like every six months, list regular contributors who haven't contribute in the last six months. Then we could remove those. |
|
Ah, I just saw that it is not only that non-members cannot invoke the update, but it cannot be invoked even by members on non-member PRs. I think this needs to be changed. For example see: jupyterlab/jupyterlab#16341 with https://github.com/jupyterlab/jupyterlab/actions/runs/10330748123/job/28600154607 |
Description
Follow-up of #251 (comment)
I looked at how best handle the current situation that prevents the update job to be executed on non-member PRs. It looks like the easiest would be to create a team with Read access (aka nothing more than what you can do on public repo) in which we invite trusted contributor as outside collaborator.
For example I invited a GSoC contributor for test purpose (should be dropped at the end of this meeting if the approach is deemed wrong):
image
Then on jupyterlab/jupyterlab#16438 (comment), the first update snapshot comment failed (she was not yet a collaborator). The second passed (she accepted the invitation).
The text was updated successfully, but these errors were encountered: