Google Git
Sign in
apache / infrastructure-website / refs/heads/create-pull-request/patch / . / output / github-actions-policy.html
blob: 85509fe076003388e2b6bc376c8a29c53993f276 [file] [log] [blame]
<!doctype html>
<html class="no-js" lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>GitHub Actions Policy - Apache Infrastructure Website</title>
<link href="/css/bootstrap.min.css" rel="stylesheet">
<link href="/css/fontawesome.all.min.css" rel="stylesheet">
<link href="/css/headerlink.css" rel="stylesheet">
<script src="/highlight/highlight.min.js"></script> </head>
<body class="d-flex flex-column h-100">
<main class="flex-shrink-0">
<div>
<!-- nav bar -->
<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
<div class="container-fluid">
<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarADP">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/team.html">About the team</a></li>
<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/policies.html">Policies</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/stats.html">Status</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/contact.html">Contact Us</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- page contents -->
<div id="contents">
<div class="bg-white p-5 rounded">
<div class="col-sm-8 mx-auto">
<h1>
GitHub Actions Policy
</h1>
<p>This page documents the policies for using <a href="github-actions-secrets.html">GitHub Actions</a> at the Apache Software Foundation.</p>
<p>For details on the use of requirement level terms, see the <a href="https://www.ietf.org/rfc/rfc2119.txt" target="_blank">requirements levels</a> standard.</p>
<h3>Resource use</h3>
<p>Due to misconfigurations in their builds, some projects have been using unsupportable numbers of <a href="github-actions-secrets.html">GitHub Actions</a>. As part of fixing this situation, Infra has established a policy for GitHub Actions use. This section of the policy comes into effect on <strong>April 20, 2024</strong>:</p>
<ul>
<li>All workflows <strong>MUST</strong> have a job concurrency level less than or equal to 20. This means a workflow cannot have more than 20 jobs running at the same time across all matrices.</li>
<li>All workflows <strong>SHOULD</strong> have a job concurrency level less than or equal to 15. Just because 20 is the max, doesn't mean you should strive for 20.</li>
<li>The average number of minutes a project uses <em>per calendar week</em> <strong>MUST NOT</strong> exceed the equivalent of 25 full-time runners (250,000 minutes, or 4,200 hours).</li>
<li>The average number of minutes a project uses <em>in any consecutive five-day period</em> <strong>MUST NOT</strong> exceed the equivalent of 30 full-time runners (216,000 minutes, or 3,600 hours).</li>
</ul>
<p>Projects whose builds consistently cross the maximum use limits will lose their access to GitHub Actions until they fix their build configurations.</p>
<h3>Triggers</h3>
<p>You <strong>MUST NOT</strong> use <code>pull_request_target</code> as a trigger on <strong>ANY</strong> action that exports <strong>ANY</strong> confidential credentials or tokens such as <code>GITHUB_TOKEN</code> or <code>NPM_TOKEN</code>.</p>
<h3>External actions</h3>
<p>You <strong>MAY</strong> use all actions internal to the <code>apache/*</code>, <code>github/*</code> and <code>actions/*</code> namespaces without restrictions.</p>
<p>You <strong>MUST</strong> pin all external actions to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you <strong>MUST</strong> pin <code>foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878</code>.</p>
<h3>Using self-hosted runners with GitHub Actions</h3>
<p>See this guidance on <a href="https://cwiki.apache.org/confluence/display/INFRA/GitHub+-+self-hosted+runners" target="_blank">GitHub - self-hosted runners</a>.</p>
<h3>Pushing commits to repositories</h3>
<p>In general, only committers <strong>MAY</strong> push commits to repositories.</p>
<p>Automated services such as GitHub Actions (and Jenkins, BuildBot, etc.) <strong>MAY</strong> work on website content and other non-released data such as documentation and convenience binaries.
Automated services <strong>MUST NOT</strong> push data to a repository or branch that is subject to official release as a software package by the project, <strong>unless</strong> the project secures specific prior authorization of the workflow from Infrastructure.</p>
<h3>Non-committer contributors and GitHub Actions</h3>
<p>GitHub provides an option to allow a non-committer contributor to use GitHub Actions if a previous pull request by that person has been approved. This raises security concerns, and could cause issues with overall use of GitHub Actions. </p>
<p>The default for this option is to “always require approval for external contributors”.</p>
<p>Projects that have a strong desire to use the “only require approval first time” option should communicate that, explaining their reasons, in a Jira ticket for Infra.</p>
<p>Projects will be allowed to continue using the "only require approval first time" feature, provided they affirm that they will actively monitor their workflows for abuse and act accordingly. Failure to do so may result in the workflow settings being switched back to "always require approval for external contributors".</p>
</div>
</div>
</div>
<!-- footer -->
<div class="row">
<div class="large-12 medium-12 columns">
<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
</p>
</div>
</div>
<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </div>
</main>
<script>hljs.initHighlightingOnLoad();</script>
</body>
</html>