development/flutter
development/flutter
1
0
Fork 0
mirror of https://github.com/flutter/flutter synced 2024-09-17 23:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
flutter/docs/infra/GitHub-Action-Workflows.md
Kate Lovett 1fbcbb73a0
[wiki migration] Leftover wiki pages and links (#148989) 
This is waiting on 
- https://github.com/flutter/flutter/pull/148777
- https://github.com/flutter/flutter/pull/148790

After this PR lands, there will likely be 1-2 more clean up PRs, after which the migration will be done!

---

This moves the remaining wiki pages as planned in [flutter.dev/go/migrate-flutter-wiki-spreadsheet](https://docs.google.com/spreadsheets/d/1x65189ZBdNiLRygpUYoU08pwvXD4M-Z157c6pm8deGI/edit?usp=sharing) 

It also adds the team labels to the label bot for future PRs.

Changes to the content were only updating cross links, or links to refer to the main branch rather than master.
Remaining links to the wiki will be updated once all other pages have finished moving, they still work in the meantime.

Part of https://github.com/flutter/flutter/issues/145009
2024-05-28 15:12:10 +00:00

2.4 KiB
Raw Blame History

GitHub actions at Flutter

Action workflows can be enabled by writing a yaml file inside .github/workflows folder of a given repository. These workflows run arbitrary code from GitHub repositories and with read/write permissions in the repository assets. This can be dangerous as anyone with write permissions to the repository can enable workflows using malicious code. To mitigate this only workflows with pinned commits within an allowed list can be executed.

Flutter repositories have workflows enabled with readonly ACLs by default. The ACLs can be overwritten providing specific permissions in the configuration file.

Determining whether a given workflow is secure or not goes well beyond flutter's capacity and it is the responsibility of the person enabling the workflow to diligently check the workflow for any potential security issues.

Adding a new GitHub Actions workflow

To add a new workflow please open a new bug using the ticket queue process. The following data points are required:

  • Description/reason to enable this workflow
  • workflow repository
  • pinned commit

Updating a GitHub Actions workflow

To update an existing workflow please open a new bug using the ticket queue process. The following data points are required:

  • Description/reason to update the pinned version
  • workflow/old_pinned_version
  • workflow/new_pinned_version

flutter/engine and flutter/flutter

flutter/engine please do not add any action workflows to this repository. The preferred way of building and testing is to use LUCI. This allows to plan for scalability, security and maintainability.

flutter/flutter the main use of workflows in this repo is to process bugs, projects, etc. Please do not use action workflows to build, run tests or release artifacts.

Checklist

New workflow:

  • Does it have an associated bug?
  • Was the workflow/commit added to the allow list? Is the workflow pinned to a given commit?
  • If the workflow require write access, is it overriding the ACLs explicitly?
  • If the target repository has branch protection, is the configuration using secrets.FLUTTERGITHUBBOT_TOKEN instead of the default one?
  • Is the workflow configured to not run on forks?

Update workflow:

  • Does it have an associated bug?
  • Was the workflow with old and new commits added to the allowed list?