pdm-project as a Verified Creator #3
Comments
|
+1 It would be nice to see this implemented |
|
It's not on the main path of the project. So +1 if anyone would like to contribute. But I will be using the GitHub actions for now |
|
Right now the issue is that any repository with DCO requirements enabled cannot merge the auto-generated PR, since the workflow is not embedding the required "signed-off-by" tag in the commit message. I assume that is why this issue has been raised? Right now, anybody requiring DCO has to pull down the PR and amend the commit message to manually add this. Seems to break the whole concept, which is to schedule the action and make the update easier to perform; i.e. just check the PR content and merge it. This creates some unpleasant additional friction. I could maybe take a look at this in the future, but I'm short on time right now. |
|
Actually, it seems that these issues are separate, although I think the publisher verification would still have merit given the high profile and utility of the PDM project. I'm going to raise a second issue covering the DCO requirement. |
|
Frost Ming, You have requested whether anybody from the community would like to pickup this action (to contribute time/effort to get the PDM project added as a Github verified creator). I work for the Linux Foundation and would happily work with the project to deliver that, although right now I have no particular affiliation with the PDM project/organisation. How might we proceed if I was to volunteer?
|
|
@ModeSevenIndustrialSolutions You can join the discord and we can start the chat there: https://discord.gg/Phn8smztpv |
|
So, I believe the steps required to get listed as a GitHub verified publisher is simply documented here: GitHub Docs This looks to be really straightforward; you need to generate a TXT token in the GitHub portal and add that to your project's DNS records. Once the DNS record is added, it is just a few more clicks in the GitHub portal, really only ten minutes work in total. This does require a user account with access to the GitHub ORG (which I don't have for PDM), and the ability to add a DNS record to the project domain: pdm-project.org It would seem to be a good idea to get this small piece of admin done? It links the PDM project site in a verified way to the related content on GitHub. I think this helps users confirm that they are dealing with the project and original content, not forks and other potential sources of confusion? |
|
Should I close this issue and create one containing the information above under the main PDM project GitHub page/area? |
Sure, I can close this one after you have created a new. |
|
See: pdm-project/pdm#2557 Feel free to proceed and close this issue! |
|
Sorry, I still can't understand why verified creator is related to this "GitHub action". All documents referred here say it applies to a published "GitHub App", and the verified creator tab in org settings also says:
This action, is obviously not an App. If you mean a pull request initiated by a bot can't comply with your security policy. You can use a Personal Access Token associated to a member of your organization and use it as the steps:
- uses: actions/checkout@v3
- name: Update dependencies
uses: pdm-project/update-deps-action@main
with:
token: ${{ secrets.GH_PAT }} |
|
I think it's the marketplace that is the common element. The bottom of this page would suggest verification can be applied to actions? https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace At the end of the day, validating your domain and authenticity in this case is not a huge amount of work. Why the resistance? ;-) |
|
Here is a good example of why some people feel this is worth pursuing: 
There's a configuration option for: Allow actions by Marketplace verified creators |
|
The request is pending review |
Exactly this. Thanks for considering this! |
|
Fine, it's more difficult than you and me would think to gain such a badge.
I doubt if anybody in this thread has succeeded in publishing a verified action into marketplace. I've finished the steps mentioned above and finally get approved. To prove i am not lying, here it is:
But you as you can see, the published action still doesn't get a "Verified" badge. The place seems to be related to OAuth Apps and GitHub Apps only, which I've repeated many times but nobody hears.
However, at the bottom of this page(thanks to @ModeSevenIndustrialSolutions ), it seems to mention Action badge, but that requires the org to be a partner of GitHub and I have to fill in a partnership form which I don't think eligible for PDM org. But no worry, I also gave it a try. Also look at the list of verified actions, all belong to a startup company or tech organizations much bigger than PDM, which is a one-man show. |
|
Alternatives for you with such restrictions:
|
|
Thanks frostming; I do think GitHub could be clearer on the benefits and the actual process involved. I did read the partnership documentation, and it does indeed seem to be geared towards larger commercial entities, primarily selling GitHub applications. I guess that might change, and could later be adapted to better suit smaller open source projects. If the work/effort gets parked here at this point, then we can always wait until the situation changes or we get some clarity? If this ticket were to stay open, then at least the conversation is logged and available as a record of the issues and related discussion. |
|
Just noticed that See 'Verified' badge on project homepage: Thanks so much @frostming 😄 |
Hello. I was wondering if there were any plans for
pdm-projectto become a Verified Creator on Github?Apologies as this is not necessarily an issue, but just wanted to raise as some organisational policies can restrict Actions usage based on this status. Appreciate all of the work you do on this project, thanks.
The text was updated successfully, but these errors were encountered: