update terms and guidelines to account for code scanning workflows
This commit is contained in:
@@ -1,4 +1,4 @@
|
|||||||
This repository contains configuration for what users see when they click on the `Actions` tab.
|
This repository contains configuration for what users see when they click on the `Actions` tab and the setup page for Code Scanning.
|
||||||
|
|
||||||
It is not:
|
It is not:
|
||||||
* A playground to try out scripts
|
* A playground to try out scripts
|
||||||
@@ -6,7 +6,7 @@ It is not:
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
**Please note that we are not accepting new starter workflows at this time. Updates to existing starter workflows are fine.**
|
**Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.**
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@@ -21,16 +21,17 @@ In the workflow and properties files:
|
|||||||
- [ ] Include comments in the workflow for any parts that are not obvious or could use clarification.
|
- [ ] Include comments in the workflow for any parts that are not obvious or could use clarification.
|
||||||
- [ ] CI workflows should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`.
|
- [ ] CI workflows should run on `push` to `branches: [ $default-branch ]` and `pull_request` to `branches: [ $default-branch ]`.
|
||||||
- [ ] Packaging workflows should run on `release` with `types: [ created ]`.
|
- [ ] Packaging workflows should run on `release` with `types: [ created ]`.
|
||||||
|
- [ ] Code Scanning workflows should run on `push` to `branches: [ $default-branch, $protected-branches ]` and `pull_request` to `branches: [ $default-branch ]`. We also recommend a `schedule` trigger of `cron: $cron-weekly`.
|
||||||
|
|
||||||
Some general notes:
|
Some general notes:
|
||||||
|
|
||||||
- [ ] This workflow must only use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or**
|
- [ ] This workflow must only use actions that are produced by GitHub, [in the `actions` organization](https://github.com/actions), **or**
|
||||||
- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). Workflows using these actions must reference the action using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:
|
- [ ] This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be [published to the GitHub Marketplace](https://github.com/marketplace?type=actions). We recommend that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:
|
||||||
```
|
```
|
||||||
# This workflow uses actions that are not certified by GitHub.
|
# This workflow uses actions that are not certified by GitHub.
|
||||||
# They are provided by a third-party and are governed by
|
# They are provided by a third-party and are governed by
|
||||||
# separate terms of service, privacy policy, and support
|
# separate terms of service, privacy policy, and support
|
||||||
# documentation.
|
# documentation.
|
||||||
```
|
```
|
||||||
- [ ] This workflow must not send data to any 3rd party service except for the purposes of installing dependencies.
|
- [ ] Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||||
- [ ] This workflow must not use a paid service or product.
|
- [ ] Automation and CI workflows cannot be dependent on a paid service or product.
|
||||||
|
|||||||
+4
-4
@@ -9,7 +9,7 @@ Contributions to this project are [released](https://help.github.com/articles/gi
|
|||||||
Please note that this project is released with a [Contributor Code of Conduct](
|
Please note that this project is released with a [Contributor Code of Conduct](
|
||||||
https://github.com/actions/.github/blob/main/CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
|
https://github.com/actions/.github/blob/main/CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
|
||||||
|
|
||||||
**At this time we are not accepting any new starter workflows**
|
**At this time we are only accepting new starter workflows for Code Scanning**
|
||||||
|
|
||||||
### Previous guidelines for new starter workflows.
|
### Previous guidelines for new starter workflows.
|
||||||
|
|
||||||
@@ -17,8 +17,8 @@ Before merging a new workflow, the following requirements need to be met:
|
|||||||
|
|
||||||
- Should be as simple as is needed for the service.
|
- Should be as simple as is needed for the service.
|
||||||
- There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted.
|
- There are many programming languages and tools out there. Right now we don't have a page that allows for a really large number of workflows, so we do have to be a little choosy about what we accept. Less popular tools or languages might not be accepted.
|
||||||
- Should not send data to any 3rd party service except for the purposes of installing dependencies.
|
- Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
|
||||||
- Cannot use an Action that isn't in the `actions` organization.
|
- Automation and CI workflows cannot be dependent on a paid service or product.
|
||||||
- Cannot be to a paid service or product.
|
- We recommend that Actions outside of the `actions` organization be pinned to a specific SHA.
|
||||||
|
|
||||||
Thank you
|
Thank you
|
||||||
|
|||||||
@@ -18,4 +18,5 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
SOFTWARE.
|
SOFTWARE. THIS LICENSE DOES NOT GRANT YOU RIGHTS TO USE ANY CONTRIBUTORS'
|
||||||
|
NAME, LOGO, OR TRADEMARKS.
|
||||||
|
|||||||
@@ -13,6 +13,7 @@ These are the workflow files for helping people get started with GitHub Actions.
|
|||||||
**Directory structure:**
|
**Directory structure:**
|
||||||
* [ci](ci): solutions for Continuous Integration
|
* [ci](ci): solutions for Continuous Integration
|
||||||
* [automation](automation): solutions for automating workflows.
|
* [automation](automation): solutions for automating workflows.
|
||||||
|
* [code-scanning](code-scanning): starter workflows for [Code Scanning](https://github.com/features/security)
|
||||||
* [icons](icons): svg icons for the relevant template
|
* [icons](icons): svg icons for the relevant template
|
||||||
|
|
||||||
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
|
Each workflow must be written in YAML and have a `.yml` extension. They also need a corresponding `.properties.json` file that contains extra metadata about the workflow (this is displayed in the GitHub.com UI).
|
||||||
|
|||||||
Reference in New Issue
Block a user