Remove third-party actions (where possible) about brew HOT 9 CLOSED

Strong +1 from me! Removing external dependencies in favor of gh invocations will improve our CI/CD's security profile (and will decrease the number of hops needed when a workflow regresses or breaks).

from brew.

What actions do you have in mind?

Mainly the ones that simple and/or are attached to a single user rather than a reputable organisation e.g. github/actions/ruby/etc.

Looking at the list of approved ones the ones that probably should be investigated for replacing are:

• dessant/lock-threads@*
• peter-evans/*
• reitermarkus/*

and removing:

• Vampire/setup-wsl@*,

from brew.

Octokit.js is better for testing over gh, but am ok with gh to unblock anything.

What actions do you have in mind? We could make a ruby/setup-ruby that uses Portable Ruby. Anything else?

from brew.

Octokit.js is better for testing over gh

Ah misread this for writing new actions. In that case yeah if we're just replacing workflow steps then for most of the above gh makes sense!

from brew.

removing: Vampire/setup-wsl@*

This is used in the Homebrew/install for testing the install on a Windows runner. Do we not need that anymore? Or can we hack something together ourselves.

from brew.

We might be able to do something that uses WSL2 (GitHub runners use WSL1 by default, which we technically have dropped support for) now that nested virtualisation is now supported on Windows runners.

from brew.

Do we not need that anymore? Or can we hack something together ourselves.

Not enough to warrant the security implications.

Either hack it ourselves or, more likely, just not bother testing WSL.

from brew.

I've handled WSL given I've had plenty experience using it and running the various commands: Homebrew/install#859

from brew.

I'd say this is pretty much done now, thanks all.

from brew.