Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify this action in GitHub Marketplace #238

Open
petrus-jvrensburg opened this issue Dec 11, 2023 · 22 comments
Open

Verify this action in GitHub Marketplace #238

petrus-jvrensburg opened this issue Dec 11, 2023 · 22 comments
Labels
enhancement New feature or request

Comments

@petrus-jvrensburg
Copy link

Depending on a Github organization's security settings, access to actions may be restricted to ones that are "verified in the GitHub Marketplace". Otherwise the workflow exits with a message like:

Error: .github#L1
erlef/setup-beam@v1 is not allowed to be used in MyOrg/my-repo. Actions in this workflow must be: within a repository owned by MyOrg, created by GitHub, or verified in the GitHub Marketplace.

Would it be possible to get this action verified?

@paulo-ferraz-oliveira
Copy link
Collaborator

Related: #129

I'm still not sure how we'd go about with a good process for this. I'm Ok with 2FA, though.

@starbelly, thoughts?

@starbelly
Copy link
Member

@paulo-ferraz-oliveira Oh, indeed we should get verified. I'll look into this tomorrow.

@paulo-ferraz-oliveira
Copy link
Collaborator

We need to:

  • check constraints for this, like the 2FA thing, for example
  • potentially a way to automate the release or, at the very least, have a process for it

(I'll keep following the thread)

@paulo-ferraz-oliveira
Copy link
Collaborator

For future ref: https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges

There are bullet points there that we'd need to discuss on how to move forward.

@petrus-jvrensburg
Copy link
Author

For future ref: https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges

There are bullet points there that we'd need to discuss on how to move forward.

  • Verified ownership of their domain and has a verified badge on their profile
  • Confirmed their email address so GitHub Support can reach the organization
  • Required two-factor authentication for their organization.

👆Anyone against implementing this? Seems like low-hanging-fruit IMHO. Would be great to remove this hurdle to BEAM adoption in corporate environments.

@paulo-ferraz-oliveira
Copy link
Collaborator

There's a couple of issues that we need to consider, e.g. I don't have (or at least I don't use) an erlef e-mail, and I'm (at the moment) one of the most active developers and reviewers for this action. I'm assuming such an email is required because of the conditions shown above (and in the documentation).

Am I against your proposal? No, but I still need to check with other people/devs, as this action has no "owner", it's maintained by some interested members of the EEF, me included.

Can I verify ownership of the domain? No, because 1. I don't know what domain we're talking about, 2. I don't own any domain 😄

If two factor is required for the whole organisation maybe this'll raise questions for many members. (also, is this the member list we're talking about? I can release the action, for example, and I'm not part of the organisation - should I?).

I do agree it seems like low-hanging-fruit (but I did raise some questions as you can see above) but on the other hand this has been requested now only twice by two different people. Is it really hurdling adoption for the whole community (or those yet to adopt Erlang, which would be even more strange to understand?). The other time was here and it got a single 👍 as I stated in the comments.

Has this been discussed in the forums? Or Slack? Have you tried to join an EEF WG to bring it up if it's causing issues? e.g. https://the-eef.slack.com/archives/CUQVCA5K8 maybe with more people involved you can get a better answer (I can't answer for this by myself) and more support for your requirement.

@petrus-jvrensburg
Copy link
Author

Thanks for the feedback. Yes, I wasn't aware that the account ownership is unclear.

In general, verifying a GitHub organization is dead simple if you are the account owner and control the domain that you list on the organization's page (for https://github.com/erlef it is https://erlef.org/). It's just a matter of adding a DNS record.

Having a confirmed email address is also not something I would describe as difficult, if the organization's emails are working.

So the only remaining question is about enabling Two-Factor Authentication, which to me seems perfectly natural for the type of account that we're talking about. Yes, it would affect the list of members at https://github.com/orgs/erlef/people, but only those who do not already have 2FA activated on their personal accounts.

Either way... it affects anyone trying to set up a CI/CD pipeline for the first time at a company / org that has the security setting enabled to "restrict actions to ones that are verified in the GitHub Marketplace". From what I can see, the setting can only be flipped for the whole org, affecting all of the repos, which would probably be a no-go in most corporate environments. So my feeling is that not having this action is probably a barrier-to-entry for proof-of-concept / demo type work at bigger organizations, which is the scenario that I was in when raising the issue.

@petrus-jvrensburg
Copy link
Author

P.S. In case it helps, here is a run-through that shows where the relevant settings can be found: https://ludwiguer.medium.com/add-a-verified-badge-to-your-github-organization-41391834a16a

@tjarratt
Copy link

Just chiming in that I too would love to use this action, but am currently blocked due to the security settings discussed in the description. This would be a real boon to my work.

@starbelly
Copy link
Member

Hi all, we are in the process of verification now 🎉 The final verification request has been sent to github so merely waiting on their response 😄

@petrus-jvrensburg
Copy link
Author

Awesome! Thanks for that 😁

@paulo-ferraz-oliveira paulo-ferraz-oliveira added enhancement New feature or request and removed stale labels Jun 16, 2024
@paulo-ferraz-oliveira
Copy link
Collaborator

The erlef org. is now Verified (https://github.com/erlef). That's a step in the right direction 😄

@paulo-ferraz-oliveira
Copy link
Collaborator

I tried publishing a new version of this to the Marketplace to see if it'd show as "creator-verified" but it didn't. I'm not sure there's a job running to identify this, or something else, but we might be missing some more actions, @starbelly.

On the other hand, @petrus-jvrensburg, could you run this under the initial conditions that got you to create the issue, and tell us how it went? (the doc. seems to indicate "Verified" in org. is different from "Verified" in action, but I tested this in another org. and I got ✅)

@starbelly
Copy link
Member

starbelly commented Jun 16, 2024

@paulo-ferraz-oliveira The domain is verified, but we are still waiting on overall verification which is a request to github. Presumably this is a manual job, as such I would not expect it to be complete until Monday.

Edit: There may be one other step as well. The articles linked to indicate that it's all related to apps vs actions. We needed to be verified regardless. That said, it links to this page : https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace , which states if you want a badge you need to send in email to partnerships@, since the docs are confusing, I will hold off on this last step until we are verified as a publisher.

@starbelly
Copy link
Member

To note we are still waiting, I suppose if I don't hear back by tomorrow, I will send an email.

@starbelly
Copy link
Member

Emailed :)

@starbelly
Copy link
Member

Got response, next step which I've asked someone else to fill out is a form required for github tech partners.

@paulo-ferraz-oliveira
Copy link
Collaborator

Good ol' human trust!

@starbelly
Copy link
Member

The process for becoming a tech. partner (which is required to for actions to be verified) has started.

@paulo-ferraz-oliveira
Copy link
Collaborator

Good'ol bureaucracy in the works...

@paulo-ferraz-oliveira
Copy link
Collaborator

@starbelly, did this ever move forward? Are we waiting for stuff on ErlEF's end or GitHub's?

@starbelly
Copy link
Member

@paulo-ferraz-oliveira No, but thanks for the ping. I need to chase someone down.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants