-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify this action in GitHub Marketplace #238
Comments
Related: #129 I'm still not sure how we'd go about with a good process for this. I'm Ok with 2FA, though. @starbelly, thoughts? |
@paulo-ferraz-oliveira Oh, indeed we should get verified. I'll look into this tomorrow. |
We need to:
(I'll keep following the thread) |
For future ref: https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges There are bullet points there that we'd need to discuss on how to move forward. |
👆Anyone against implementing this? Seems like low-hanging-fruit IMHO. Would be great to remove this hurdle to BEAM adoption in corporate environments. |
There's a couple of issues that we need to consider, e.g. I don't have (or at least I don't use) an Am I against your proposal? No, but I still need to check with other people/devs, as this action has no "owner", it's maintained by some interested members of the EEF, me included. Can I verify ownership of the domain? No, because 1. I don't know what domain we're talking about, 2. I don't own any domain 😄 If two factor is required for the whole organisation maybe this'll raise questions for many members. (also, is this the member list we're talking about? I can release the action, for example, and I'm not part of the organisation - should I?). I do agree it seems like low-hanging-fruit (but I did raise some questions as you can see above) but on the other hand this has been requested now only twice by two different people. Is it really hurdling adoption for the whole community (or those yet to adopt Erlang, which would be even more strange to understand?). The other time was here and it got a single 👍 as I stated in the comments. Has this been discussed in the forums? Or Slack? Have you tried to join an EEF WG to bring it up if it's causing issues? e.g. https://the-eef.slack.com/archives/CUQVCA5K8 maybe with more people involved you can get a better answer (I can't answer for this by myself) and more support for your requirement. |
Thanks for the feedback. Yes, I wasn't aware that the account ownership is unclear. In general, verifying a GitHub organization is dead simple if you are the account owner and control the domain that you list on the organization's page (for https://github.com/erlef it is https://erlef.org/). It's just a matter of adding a DNS record. Having a confirmed email address is also not something I would describe as difficult, if the organization's emails are working. So the only remaining question is about enabling Two-Factor Authentication, which to me seems perfectly natural for the type of account that we're talking about. Yes, it would affect the list of members at https://github.com/orgs/erlef/people, but only those who do not already have 2FA activated on their personal accounts. Either way... it affects anyone trying to set up a CI/CD pipeline for the first time at a company / org that has the security setting enabled to "restrict actions to ones that are verified in the GitHub Marketplace". From what I can see, the setting can only be flipped for the whole org, affecting all of the repos, which would probably be a no-go in most corporate environments. So my feeling is that not having this action is probably a barrier-to-entry for proof-of-concept / demo type work at bigger organizations, which is the scenario that I was in when raising the issue. |
P.S. In case it helps, here is a run-through that shows where the relevant settings can be found: https://ludwiguer.medium.com/add-a-verified-badge-to-your-github-organization-41391834a16a |
Just chiming in that I too would love to use this action, but am currently blocked due to the security settings discussed in the description. This would be a real boon to my work. |
Hi all, we are in the process of verification now 🎉 The final verification request has been sent to github so merely waiting on their response 😄 |
Awesome! Thanks for that 😁 |
The |
I tried publishing a new version of this to the Marketplace to see if it'd show as "creator-verified" but it didn't. I'm not sure there's a job running to identify this, or something else, but we might be missing some more actions, @starbelly. On the other hand, @petrus-jvrensburg, could you run this under the initial conditions that got you to create the issue, and tell us how it went? (the doc. seems to indicate "Verified" in org. is different from "Verified" in action, but I tested this in another org. and I got ✅) |
@paulo-ferraz-oliveira The domain is verified, but we are still waiting on overall verification which is a request to github. Presumably this is a manual job, as such I would not expect it to be complete until Monday. Edit: There may be one other step as well. The articles linked to indicate that it's all related to apps vs actions. We needed to be verified regardless. That said, it links to this page : https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace , which states if you want a badge you need to send in email to |
To note we are still waiting, I suppose if I don't hear back by tomorrow, I will send an email. |
Emailed :) |
Got response, next step which I've asked someone else to fill out is a form required for github tech partners. |
Good ol' human trust! |
The process for becoming a tech. partner (which is required to for actions to be verified) has started. |
Good'ol bureaucracy in the works... |
@starbelly, did this ever move forward? Are we waiting for stuff on ErlEF's end or GitHub's? |
@paulo-ferraz-oliveira No, but thanks for the ping. I need to chase someone down. |
Depending on a Github organization's security settings, access to actions may be restricted to ones that are "verified in the GitHub Marketplace". Otherwise the workflow exits with a message like:
Would it be possible to get this action verified?
The text was updated successfully, but these errors were encountered: