Action workflows can be enabled by writing a yaml file inside .github/workflows folder of a given repository. These workflows run arbitrary code from GitHub repositories and with read/write permissions in the repository assets. This can be dangerous as anyone with write permissions to the repository can enable workflows using malicious code. To mitigate this only workflows with pinned commits within an allowed list can be executed.
Flutter repositories have workflows enabled with readonly ACLs by default. The ACLs can be overwritten providing specific permissions in the configuration file.
Determining whether a given workflow is secure or not goes well beyond flutter's capacity and it is the responsibility of the person enabling the workflow to diligently check the workflow for any potential security issues.
To add a new workflow please open a new bug using the ticket queue process. The following data points are required:
To update an existing workflow please open a new bug using the ticket queue process. The following data points are required:
flutter/engine please do not add any action workflows to this repository. The preferred way of building and testing is to use LUCI. This allows to plan for scalability, security and maintainability.
flutter/flutter the main use of workflows in this repo is to process bugs, projects, etc. Please do not use action workflows to build, run tests or release artifacts.
New workflow:
Update workflow: