Merge pull request #204 from raboof/link-to-github-actions-security-w…

…ikipage Link to GitHub Actions security wiki page
apache · Oct 3, 2024 · d7cddaa · d7cddaa
2 parents 117612d + 9797533
commit d7cddaa
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/content/pages/github-actions-policy.md b/content/pages/github-actions-policy.md
@@ -5,6 +5,8 @@ This page documents the policies for using [GitHub Actions](github-actions-secre
 
 For details on the use of requirement level terms, see the <a href="https://www.ietf.org/rfc/rfc2119.txt" target="_blank">requirements levels</a> standard.
 
+For additional advice on how to use this feature safely, see <a href="https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security" target="_blank">GitHub Actions Security</a>.
+
 ### Resource use
 Due to misconfigurations in their builds, some projects have been using unsupportable numbers of [GitHub Actions](github-actions-secrets.html). As part of fixing this situation, Infra has established a policy for GitHub Actions use. This section of the policy comes into effect on **April 20, 2024**:
 

diff --git a/content/pages/github-actions-secrets.md b/content/pages/github-actions-secrets.md
@@ -1,8 +1,6 @@
 Title: GitHub Actions and Secrets
 license: https://www.apache.org/licenses/LICENSE-2.0
 
-**Notice**: December 27, 2020: We only allow Actions that are official "Made by GitHub" or local to the Apache org on GitHub, to address a potential security vulnerability. This  is an incident-related policy change. We are researching the situation, and the policy may evolve based on what we learn.
-
 **GitHub <a href="https://help.github.com/en/actions/getting-started-with-github-actions/about-github-actions" target="_blank">Actions</a>** help you automate your software development workflows in the same place you store code and collaborate on pull requests and issues. You can write individual tasks, called actions, and combine them to create a custom workflow. Workflows are custom automated processes that you can set up in your repository to build, test, package, release, or deploy any code project on GitHub.
 
 ***A note on testing***: Some projects would like to use GitHub Actions for complex processes, such as automating their tests of software builds. 
@@ -59,3 +57,8 @@ Further information is at these pages:
 
   - <a href="https://github.com/gradle/actions/blob/main/docs/setup-gradle.md#managing-develocity-access-keys" target="_blank">Managing Develocity access keys</a>
   - <a href="https://docs.gradle.com/develocity/gradle-plugin/current/#short_lived_access_tokens" target="_blank">Short-lived access tokens</a>
+
+### Links ###
+
+  - The [Apache GitHub Actions Policy](github-actions-policy.html)
+  - Advice for <a href="https://cwiki.apache.org/confluence/display/BUILDS/GitHub+Actions+Security">GitHub Actions Security</a>