feat: add greetings file #7
Conversation
There was a problem hiding this comment.
Hi @CBID2, this greeting GitHub action is nice tho.
I've been analyzing it since I saw it from Eddiehub repo.
Personally, I use the actions/first-interaction@v1, have you tried it before?
No tell me more @geoffreylgv. :) |
Alright, It's also simple to use and pr or issue message customization; similar to the one you added |
|
Allow me to suggest something, on the call of the github.actor, if you put the @${{ github.actor }} |
There was a problem hiding this comment.
Hi @CBID2, thanks so much for opening this PR and contributing to shesharp! :)
This PR looks good, but I see an opportunity to harden the security of this Github workflow.
- The GITHUB_TOKEN secret used in this action currently has
writepermissions on all scopes. This is more permissions than is necessary to perform its task in this action.
Can you reduce the scope of the token permission towriteon only the relevant scopes (issuesandpull-requests).
Reference: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#defining-access-for-the-github_token-scopes
See also:
Use credentials that are minimally scoped
- I am ok with leveraging a community-created action but I would prefer if we pin the version by using a commit SHA rather than a branch or a tag. Using a SHA is generally suggested because of various reasons:
- It makes the third-party action's code immutable: the source action won't change over time with new releases so the action will always have a predictable behavior. New breaking changes won't impact our workflow.
- It helps mitigate the risk of a bad actor adding a backdoor to the third-party action's repository. Pinning to a commit SHA reduces this risk of unintentionally introducing malicious code in the future ( a branch or tag of an action can be compromised, the commit SHA is immutable).
See more info here: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Related: while looking at this PR I realized that we can improve the security posture of other shesharp repositories as well so I created these new issues to address that effort:
shesharpnl/hackathon-2023.slack-bot.base-example#1
shesharpnl/hackathon-2021.twitter-bot.base-example#8
shesharpnl/hackathon-2021.slack-bot.base-example#1
|
Hey @saragerion. I made the necessary changes |
.github/workflows/greetings.yml
Outdated
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: EddieHubCommunity/gh-action-community/src/welcome@bf67289baedda0b13e216f7ca14e733eab899963 |
There was a problem hiding this comment.
Hi @CBID2, thanks for implementing this change.
Question: where did you find this commit SHA?
I do not see it in the main branch:
https://github.com/EddieHubCommunity/gh-action-community/commits/main
And this URL doesn't work:
https://github.com/EddieHubCommunity/gh-action-community/tree/bf67289baedda0b13e216f7ca14e733eab899963
There was a problem hiding this comment.
Hi @saragerion. Sorry for the long wait. I found a new greeting that they use: https://github.com/EddieHubCommunity/gh-action-community/blob/main/.github/workflows/community.yml
Here's the latest commit: EddieHubCommunity/gh-action-community@92d4d80
|
Hey @CBID2, |
Awesome! Please keep us posted. π And do let us know if you can't go further. We can close this and you can always create a new issue and PR once you figure something out. π |
|
@CBID2 I want to inform that as there is no progress for this PR in the last 3 weeks, I'm putting it on draft. Feel free to change the status as "ready for review" once you've resolved it. However, because it's already open for 4 months, if you haven't resolved it by next week (February 14th), I will close this PR. You can open a new issue and PR in that case if you're still interested. Thank you. π cc: @saragerion |
Description
This PR adds a
welcome.ymlfile.Type of PR
[X] β¨ Feature
[] π Bug fix
[] π Documentation update
[] Others
Related Issue
Closes #3