This page describes the current status of GitHub Actions for Apache Software Foundation projects. This page is maintained by the community.

Summary updated: 16.10.2023

If you are a Committer/PMC member of an ASF project and thinking about migrating to GitHub Actions, this is the current status:

  • If you want to use GitHub Actions, consider using your own self-hosted runner, but only if you can afford to build and maintain your own self-hosted infrastructure (this is not an easy task due to security limitations of the official GitHub Actions runners). 
  • If you decide to use GitHub Actions, be very careful to mitigate some of the security problems you might have if you follow the GA setup using the existing examples. There is extra hardening required in your workflows if you want to protect your project from 3rd-party dependencies having WRITE access to your project.


Overall status of GitHub Actions for Apache Software Foundation projects

There are already quite a few projects using GitHub Actions. However, there are vsome potential security implications that you might have to be aware of when starting to use GitHub Actions.

There are a few discussions that you can read at builds@apache.org about these issues:

The issues with GitHub Actions revolve around Billing and Security.

Detailed status

Billing

All public projects, resources, images, etc.  on GitHub are generally free (not only Apache Software Foundation ones). No problem with that. You will not incur any costs as long as you do not create any "private" resources, so there is no way you can create billing consequences.
However there is an important caveat: as more projects use GitHub Actions, the more they all compete for a shared job queue. Apache Software Foundation has an "Enterprise" organization status in GitHub.

Performance/Scalability

No current issues.

Security

There are a number of security problems you have to be aware of. The 3rd-party actions and 3rd-party dependencies are huge security risks if not used appropriately (basically if you are using Actions as the examples suggest you are open for easy exploitation by the Action authors). If you do not securely add the Actions you are ripe to any kind of uncontrolled "write" modifications to your repository (!) by 3rd-party Action owners AND (as we've learned recently) by 3rd-party dependencies you install in your build pipeline. One of the problems caused INFRA action to disable the "direct" use of 3rd-party Actions at the organisation level (see the discussion), but there are many more risks that you have to be aware of.

There are two critical security vulnerability reports opened by Jarek Potiuk 30 December 2020 with GitHub Actions - both of them triaged and awaiting for actions on the GitHub side. GitHub Security Lab who in December encouraged users to  post their experiences is engaged as well.  Those issues can be all mitigated (Apache Airflow implemented all mitigation) but they are not what most projects do. 

Mitigations

If you decide to use GitHub Actions,  those are recommendations (there are varying opinions on sub-modules use, though):