Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wSeBP-003Nc3-06 for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 17:06:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wSeAN-00D3og-02 for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 17:05:07 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wSeAM-00D3oX-2K for pgsql-hackers@lists.postgresql.org; Thu, 28 May 2026 17:05:07 +0000 Received: from mail-vs1-xe2e.google.com ([2607:f8b0:4864:20::e2e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wSeAK-00000001DCb-0BIP for pgsql-hackers@postgresql.org; Thu, 28 May 2026 17:05:05 +0000 Received: by mail-vs1-xe2e.google.com with SMTP id ada2fe7eead31-63129bf2af0so4874402137.2 for ; Thu, 28 May 2026 10:05:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779987903; cv=none; d=google.com; s=arc-20240605; b=Ut4CMKKlK1HGFFF1fp1wk1NR1P8E21PGvrT7uez2C1ag1HD3hilqNYlXvdeBjv8OFc OjWEoiSlCzk1IucqEUFre/bvh3J1i07Rw7V5Mm1KKNBpYVJ2ejcSAfy/5+Flq/2t2S1M Q7QciBfuV/TxRA5d0ETieHzvrz1+6fGKxeFL/tCinJx3l3eoHVoJudYKZPHz6rZIx4XE XBiJ0yVhsXYOScmOJFIN8Zo1in6KFPfgSHZWRfrT0CfzB6HNZWtq8gtzVHtivJEgKw0a x6VLcV7CRuPd+xUhrnHMx9IOMfDG6mSFWptAmLCVY/wp47cd8KSuD3HMk54+YCdGCfVa 6qhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3C4a/PQtCym7WiViXe5UAsgxyaIijoNupoENtLB4r+o=; fh=r2Cpz44n0UvY+i9NyLF0RuXL+LVTAx7ptjBV+QzRHr8=; b=NiV6JLWXGqsPEHexwqZhC+5ee+p3NvUpKgtMdcIkSboKZXDiJKFybX4n20SAUHghOj A+EhHIyAW/f6HOsReciaG1S+qZalwUXExmmaazQUD0A/+bPjhu/kvuBme+PZin2jNcK6 LPAKT/4vFyEsGkrW4VcIw5sQoWyFKuL1OA+F8SBbiTdnq2aKlBSIS9UQAn6GG3igfzJE ZkfO7q2xu13kyU73TWlkg586/Ps37hl8ALjGQWU6S61St4JOAPMq1kFG6s5wlm8uSV0g 28PccL19cnkDdjvaU3rqw2oi6WzCq4qRUrBj/6lNPYgKsfl+eUWtMysgI0jDNzzFv7YV OKHA==; darn=postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1779987903; x=1780592703; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3C4a/PQtCym7WiViXe5UAsgxyaIijoNupoENtLB4r+o=; b=AFyP8xEJ3e+bvRKH/Cl3Gb/jKHFRUArhs3xTvThJnx7Pz/nK1oaZTGT/MniDvZs10B T6MP58a+SMbSClARJCPnXfNbS0pnFRo1xR3gOKBFwFapFZxNx3jOxsjmyo44tm+hefGP hQA1MXtij9whrTMkzbV/pVBh225yxoc8fio1zcBJRr+Q5vmz0ncfQbW4Bcp4FYMtAcK+ 9X402BgAZ035uaE7hxBFCU8ZMmLnEbWDuLhesXTavD2XPSV8C2rZwslKuffBLgcTytzY zYULzG/JoTfB9w8qvxjqd9Po93DVlvPrcB58wxabJ/aDAVH5rxRbSiwBXKbrGy14HlG3 R1AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779987903; x=1780592703; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3C4a/PQtCym7WiViXe5UAsgxyaIijoNupoENtLB4r+o=; b=dV5GHGmNMtK2xI4gs+qUN30GgpoIWBQRIGaboP6QHh8VHajkXQ5rLtlikiTwMPgxBi RvY2L+5gdlhiCxpgZBzg2yavddin0pCynb7MLLwTuzMfQePKsZWFFxzW2LfmH1W2BbOz nsYBmjU83Z2DsFYRnfdtwDxkmWBuVbFwT106PD6yd22oe7RyrpHECGukCmRBxpOd6dNV 6a4jnwESIfB1z6XlnH86ximNMBKF7TFM150DXQcsVjmOIRcP5fVXdNM4Se7Op4CFXGLN S9ZQP3HAkvPpbbWCGoi2ALTF6HbDkSQfUpUuC0vgQTzGeHrki9nNPsw75I3PY2k4/IjR hHEQ== X-Forwarded-Encrypted: i=1; AFNElJ/WrZfgtcSKIovkj6cI1YqP1LenagZUMAqodTGjokBN174zRJontYEsh8wLqDwEsw/rW+c3mUu+D4W/2KWm@postgresql.org X-Gm-Message-State: AOJu0YwN6TzDWLesrmVhtj/zgwr0R0U7SgKuvavCLimMgImGcp9M3AAY y9Xqbu8CaNLpjHj1GvkWq0DpklvNs5ERUEH5BFz5EBRX6t2PViiBUuYhCgXwoBjQXZfKskI5UJP P1I41u6eMG8vJ8eacpPK1ZlHFD9F+24qPmF6B8YQo X-Gm-Gg: Acq92OEVJI21VEs8nTRmVTcOX8ukx9PsWSKhsK8RI2iZIIAkkmxUor2oTaFYeM2STzP j15rF6JY5V26AvZxYtkfL6jQEqnEC9KbWOQUly/axmJX+ud/S8NMa2ZqmF34zDpEm/9tkOBszQK iQN02vbpDV84sif5uoXDbKXbsPPFafb8pv/NGADru0pREQq72Vy6/Pjuu4CeYxCeBwvmp2umRAq u0MaqEFX6QUWmE/OLrjR3X9oXwkW/C4KLaOFGje25LVtHfmwgXQ/bfuoZ3u7d5dFfLdhTMMqQJ7 zdRtEuphFXlrFhMXQFHXu1jNgAPS7l0= X-Received: by 2002:a05:6102:26d5:b0:631:ea6b:23dc with SMTP id ada2fe7eead31-67c7151c9abmr14362706137.2.1779987902969; Thu, 28 May 2026 10:05:02 -0700 (PDT) MIME-Version: 1.0 References: <3ydjipcr7kbss57nvi67noplncqhesl5eyb6wgol4ccjxynspv@yatlykpribmm> In-Reply-To: From: Jacob Champion Date: Thu, 28 May 2026 10:04:51 -0700 X-Gm-Features: AVHnY4IKAFNX95U7HsPukm3nIlJZTU3rBtsxVjPt1kNZ65g2c8u4zMm4YsCYo2M Message-ID: Subject: Re: Heads Up: cirrus-ci is shutting down June 1st To: Andres Freund Cc: Nazir Bilal Yavuz , Jelte Fennema-Nio , Thomas Munro , pgsql-hackers@postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, May 28, 2026 at 9:13=E2=80=AFAM Andres Freund = wrote: > On 2026-05-28 08:51:09 -0700, Jacob Champion wrote: > > I was imagining a quick opt-in, like the Cirrus flow did, that fork > > owners can do once they have checked their settings. > > I'm not aware of a good way to do that. I'm sure we could hack up a way, > e.g. by requiring an environment variable to be configured on the repo le= vel > to opt-in, That was more or less my thought. > but it seems pretty crufty. > > I think making it easier for forks to run CI is a far bigger gain than th= e > risk of GHA doing something stupid in a fork. There were a lot of folks = that > didn't realize that they could run CI individually or had a hard time ena= bling > it. Right, but Cirrus only ever had the ability to run a CI, not write to the code base it was running. If we unleash a bunch of newcomer GitHub CIs without first explaining "hey, you really need to lock some stuff down first", I think we may be doing them all a disservice. Especially since GitHub claims to protect downstream forks from this [1] -- which is undocumented? -- but that protection appears to not actually work [2] if we push a workflow at the root of the graph. (I haven't verified any of that myself yet, but in the absence of documentation, I'm not really optimistic.) > > Combining with the above: I'm worried that if all of our 5.7k forks hav= e > > permissive settings, and we accidentally ship a workflow vulnerability = that > > doesn't affect us but does affect them, that would not be a fun cleanup= . > > I'm not sure what path for that would exist that don't already? Using the current v2 patch, for instance, a `actions: write` token that gets leaked by accident can then be used to approve pending workflow runs. (Consensus seems to be forming that we shouldn't have those privileges in the workflow spec, but we have to all remember why that rule exists when we're reviewing workflow patches.) --Jacob [1] https://github.com/github/docs/issues/15761 [2] https://github.com/orgs/community/discussions/53510