update terms and guidelines to account for code scanning workflows
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
This repository contains configuration for what users see when they click on the `Actions` tab.
|
||||
This repository contains configuration for what users see when they click on the `Actions` tab and the setup page for Code Scanning.
|
||||
|
||||
It is not:
|
||||
* A playground to try out scripts
|
||||
@@ -6,7 +6,7 @@ It is not:
|
||||
|
||||
---
|
||||
|
||||
**Please note that we are not accepting new starter workflows at this time. Updates to existing starter workflows are fine.**
|
||||
**Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.**
|
||||
|
||||
---
|
||||
|
||||
@@ -21,16 +21,17 @@ In the workflow and properties files:
|
||||
- [ ] Include comments in the workflow for any parts that are not obvious or could use clarification.
|
||||
- [ ] CI workflows should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`.
|
||||
- [ ] Packaging workflows should run on `release` with `types: [ created ]`.
|
||||
- [ ] Code Scanning workflows should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly`.
|
||||
|
||||
Some general notes:
|
||||
|
||||
- [ ] This workflow must only use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or**
|
||||
- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). Workflows using these actions must reference the action using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:
|
||||
- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:
|
||||
```
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
```
|
||||
- [ ] This workflow must not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||
- [ ] This workflow must not use a paid service or product.
|
||||
- [ ] Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||
- [ ] Automation and CI workflows cannot be dependent on a paid service or product.
|
||||
|
||||
+4
-4
@@ -9,7 +9,7 @@ Contributions to this project are [released](https://help.github.com/articles/gi
|
||||
Please note that this project is released with a [Contributor Code of Conduct](
|
||||
https://github.com/actions/.github/blob/main/CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
|
||||
|
||||
**At this time we are not accepting any new starter workflows**
|
||||
**At this time we are only accepting new starter workflows for Code Scanning**
|
||||
|
||||
### Previous guidelines for new starter workflows.
|
||||
|
||||
@@ -17,8 +17,8 @@ Before merging a new workflow, the following requirements need to be met:
|
||||
|
||||
- Should be as simple as is needed for the service.
|
||||
- There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted.
|
||||
- Should not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||
- Cannot use an Action that isn't in the `actions` organization.
|
||||
- Cannot be to a paid service or product.
|
||||
- Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||
- Automation and CI workflows cannot be dependent on a paid service or product.
|
||||
- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA.
|
||||
|
||||
Thank you
|
||||
|
||||
@@ -18,4 +18,5 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
SOFTWARE. THIS LICENSE DOES NOT GRANT YOU RIGHTS TO USE ANY CONTRIBUTORS'
|
||||
NAME, LOGO, OR TRADEMARKS.
|
||||
|
||||
@@ -13,6 +13,7 @@ These are the workflow files for helping people get started with GitHub Actions.
|
||||
**Directory structure:**
|
||||
* [ci](ci): solutions for Continuous Integration
|
||||
* [automation](automation): solutions for automating workflows.
|
||||
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
|
||||
* [icons](icons): svg icons for the relevant template
|
||||
|
||||
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
|
||||
|
||||
Reference in New Issue
Block a user