| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Nazir Bilal Yavuz <byavuz81(at)gmail(dot)com>, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>, Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Heads Up: cirrus-ci is shutting down June 1st |
| Date: | 2026-05-28 15:51:09 |
| Message-ID: | CAOYmi+mpks_rE5E8fLzANbmhEySK=XC8rAtxi_qPVQKiu6nUGA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, May 28, 2026 at 8:07 AM Andres Freund <andres(at)anarazel(dot)de> wrote:
> On 2026-05-27 15:15:46 -0700, Jacob Champion wrote:
> > - Do we need to defend our downstream forks from this workflow? (We
> > have 5,700 of them, apparently.)
>
> I don't see why. I think it's good if they run CI. Having forks not run CI by
> default would imo take one of the main advantages of using github actions
> away.
I was imagining a quick opt-in, like the Cirrus flow did, that fork
owners can do once they have checked their settings.
(I thought we planned to research medium-term alternatives to Actions
anyway; is it important that the entire graph starts running hundreds
or thousands of CI copies right away?)
> Yes, they are too permissive by default, including on postgres/postgres. I
> think postgres/postgres isn't *that* threatened, but we should make things are
> shored up anyway. Where it's really crucial is the postgresql-cfbot repo.
Combining with the above: I'm worried that if all of our 5.7k forks
have permissive settings, and we accidentally ship a workflow
vulnerability that doesn't affect us but does affect them, that would
not be a fun cleanup.
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Denis Rodionov | 2026-05-28 15:58:39 | [PATCH] Remove obsolete tupDesc assignment in extended statistics |
| Previous Message | Nathan Bossart | 2026-05-28 15:17:41 | Re: future of PQfn() |