Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open source? #1

Open
OliverHGray opened this issue Oct 9, 2020 · 7 comments
Open

Open source? #1

OliverHGray opened this issue Oct 9, 2020 · 7 comments

Comments

@OliverHGray
Copy link

OliverHGray commented Oct 9, 2020
edited

This app looks like it'll fix a huge hole in GitHub Actions and appears to open it up to many more exciting use cases, but given the nature of this app being used to protect our secrets, we need to be able to trust it!

How can you assure this is safe to use? Is it open source somewhere?
@eladchen
Copy link
Owner

eladchen commented Oct 9, 2020
edited

Hi,

I'm not sure what you mean by "it'll a huge hole"...

The app does not have access to secrets, nor does it request such access.
This app acts on file changes, and require access to the relevant scopes to do so...

The reason the application code is not open-sourced is for proprietary reasons
sometime in the future, I might consider adding additional features for paid plans.

You can see what permissions the app requires when installing the application, and if you have any
question regarding those permissions, let me know and I'll clarify why and for what they will be used.

@justinengland
Copy link

I think the goal of the conversation was more, this fixes a major hole in githubs feature set, we would like to review the code being allowed to manage runs on our proprietary repos. I think a source code audit for this kind of tool is a good practice just because of how powerful this tool will be and if a backdoor is injected the first warning would be a pipeline getting owned.

Is this project for sale? I would willingly contribute financially as a private developer to get a peak at the source as well as sign NDA or whatever else, and my company or myself might be interested in purchasing the idea out right for a fair price.

If commercial concerns are the worry here, lets talk business.

@justinengland
Copy link

What is the best way to get in touch with you directly? we are willing to make an offer to purchase this code.

@eladchen
Copy link
Owner

eladchen commented Nov 5, 2020

Hi @justinengland - you can message me on Twitter / LinkedIn

@eladchen
Copy link
Owner

eladchen commented Nov 9, 2020

I understand the concerns, what kind of audit are you expecting to perform?

@ba32107 ba32107 mentioned this issue Nov 13, 2020
Closed
@ba32107
Copy link

ba32107 commented Nov 13, 2020

Hi @eladchen, I am also very interested in this. However, based on your App's docs, I am not quite sure it fits my use-case. I've described what I'm looking to achieve in this comment, can you please confirm if your App can do this or not? Based on the official docs and my initial experimentation, I don't understand how this can be done. To be clear: I'm looking to intercept and cancel all workflow runs, not just ones triggered by pull_request.

If you can confirm that your App is able to do what I described in my comment, I would potentially also be interested in a business discussion. Disclaimer: I'm speaking as a private developer now, not on behalf of my company.

@eladchen
Copy link
Owner

You can cancel any workflow run by setting the anyEvent rule.

@nicbus nicbus mentioned this issue Nov 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eladchen @justinengland @ba32107 @OliverHGray