Comments (10)
No we shouldn't move a community driven action into this namespace. We should limit it to only actions supported by GitHub employees directly. This action should be deprecated and removed in favor of ruby/setup-ruby
from setup-ruby.
I am one of the "cases that got confused" :)
I for one definitely think there should be one "official" action for key tasks, although I know it is not always possible - since there may be conflicting opinions as to who is responsible for each of these official actions.
For what its worth, I was hoping that GitHub Actions would take an approach similar to what DockerHub is doing, which is to have a special class of actions that are official and verified (on DockerHub its all the images that do not have an organization, like mongo and ubuntu etc.).
I wish that in GitHub actions I could do:
steps:
- name: Setup Ruby
uses: ruby
and it will go to the formal action, which - ideally - is maintained by the Ruby people (since they know it best, and are invested in it) and "approved as the formal one" by the GitHub team.
Having actions that are official like this, helps to put formal security related guidelines in an organization, such as "Only use official and verified Actions".
from setup-ruby.
Maybe that's good enough to fit your "Only use official and verified Actions" guideline?
Absolutely. And the "Verified by GitHub" is also a good addition.
It seems that now there are at least three "classes" of actions:
- Actions made by GitHub (which at first, I thought this list will grow rapidly)
- Actions made by the Product Owner or Authority (Amazon for AWS actions, Ruby for Ruby actions)
- Actions made by "some random developer on GitHub".
I believe that, like me, other people who are responsible for guidelines in their organizations, can easily point to the first two types as "approved for use".
from setup-ruby.
@eregon Yes! I think we should deprecate this one, thanks for bringing it up and sorry for the delay in us noticing it. We'll work on a deprecation plan to minimize workflows that could break.
As an aside, I think it would be great to make it so ruby/setup-ruby could take advantage of whatever it's installed on the image but that's a different topic, I'll open an issue in ruby/setup-ruby in the near future to discuss that one.
from setup-ruby.
it will go to the formal action, which - ideally - is maintained by the Ruby people (since they know it best, and are invested in it) and "approved as the formal one" by the GitHub team.
That seems unfortunately impossible, as the rule seems to be that actions under github.com/actions can only have GitHub staff as (code) maintainers: #44 (comment)
ruby/setup-ruby
being the Ruby starter workflow will probably be as far as it gets in terms of official.
I noticed on the marketplace ruby/setup-ruby is marked as
Verified creator
GitHub has verified that this action was created by ruby.
Maybe that's good enough to fit your "Only use official and verified Actions" guideline?
I think if one trusts Ruby (e.g., building & running MRI) then one can trust actions made by the Ruby org on GitHub.
But I see your point that there is no simple rule like "actions made by GitHub".
On the larger scale there are very few actions under github.com/actions in comparison to actions made by the community, so I think "only actions made by GitHub" is too limiting for many usages.
from setup-ruby.
@thboop @eileencodes Any thoughts on this issue?
Here is a recent example of the confusion this is causing: ruby/setup-ruby#92 (comment)
from setup-ruby.
One more example: actions/runner-images#281 (comment)
from setup-ruby.
From what I've seen this action is already no longer published on the marketplace and ruby/setup-ruby
is what people get when using the starter workflows.
I wonder why people still come to this action and then get confused why so few versions are available. Maybe they simply look at https://github.com/actions/ ?. If so, maybe a good way to is to add [DEPRECATED]
or so in the description, or/and add a mention in the README that https://github.com/ruby/setup-ruby is recommended instead by having a lot more Ruby versions and more features (as well as being maintained more actively)? WDYT?
from setup-ruby.
We'd prefer to only using official actions (or our own).
Since there are already actions/setup-node, actions/setup-go, actions/setup-python, etc (examples here). Would it be a better idea to move ruby/setup-ruby into this namespace?
I think it would make sense for Github to maintain basic, trusted setup actions for a bunch of common languages.
from setup-ruby.
Would it be a better idea to move ruby/setup-ruby into this namespace?
Doesn't seem to be possible, see #80 (comment)
from setup-ruby.
Related Issues (20)
- Ruby 2.7 support HOT 3
- Supported Ruby versions HOT 11
- Create a plan and design (ADR) for ruby builds at runtime HOT 5
- Ruby version removed without bumping major version HOT 12
- Issue #52, There is a real binary distribution trust issue. HOT 6
- Version 2.6.3 not found error HOT 4
- setup-ruby fails on macos-latest HOT 2
- Supporting Ruby 2.6.6 and other security releases HOT 1
- Error message isn't actionable when ruby version isn't found
- setup-ruby failing consistently on macOS HOT 3
- Support for ruby 2.6.5 version HOT 1
- setup-ruby doesn't work on ubuntu-20.04 HOT 9
- npm audit fails on master
- Rename default branch
- Error on macOS HOT 1
- Suggestion: new 'github-pages' value for 'ruby-version'
- Error: Unable to process command '##[add-path]/opt/hostedtoolcache/Ruby/2.6.6/x64/bin' successfully. HOT 2
- Ruby 3 HOT 2
- Mark as unmaintained
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from setup-ruby.