Have Setup-tflint as a verified GH action

[ritaCanavarro]

Hello team,

We are currently using this action, but due to some internal policy requirements to keep using it we need to have it verified.
Is it possible to have this action as being verified by GH?

[bendrucker]

Do you have evidence that GitHub verifies other small open source projects?

https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace#about-badges-in-github-marketplace

Ultimately if you have security pressure you should probably fork the action which also sidesteps the third party ownership issue. Verification badges tell you that the action is published by a known organization but provide no actual verification of the action contents.

[ritaCanavarro]

Thanks, could you give me a status if it gets approved/refused?

[ritaCanavarro]

Hi, @bendrucker we decided to follow another route so we no longer need this action to be verified. Thank you for your time!

[ohmer]

Had the exact same issue and request. We ended up mirroring this repository to workaround our GitHub plan limited features.
I know the GitHub marketplace badge is not a thorough security audit but it would still help in my case.

Documentation says: For GitHub Free, GitHub Pro, GitHub Free for organizations, or GitHub Team plans, the Allow specified actions and reusable workflows option is only available in public repositories so this has no effect on private repositories.

What I wanted to do is to allow terraform-linters/setup-tflint in a private repository under a GitHub Pro plan. I can't without upgrading to enterprise plan (budget is tight, I can't justify just for this). Since we allow verified actions (this is good enough for us), this would avoid mirror this repository in our situation.

If this is not too much work for maintainers, could it still be done @bendrucker?

[bendrucker]

https://docs.github.com/en/apps/github-marketplace/github-marketplace-overview/about-marketplace-badges

This means that the app is owned by an organization that has
Verified ownership of their domain and has a verified badge on their profile

We don't have a domain for the project, so this is going to be a nonstarter for now. If we launch a website with a domain for other reasons we'll do the verification but we wouldn't pursue the domain just to get verified.

You're asking nicely, but look at this from an outside perspective. In order for commercial organization to avoid paying $15/user/month for a critical tool, you're hoping for an unfunded volunteer organization to take on direct (domain) and indirect (labor) costs.

If this repository doesn't meet your requirements and you don't want to pay GitHub for enterprise features, the best course of action is to fork it into your organization. At that point you're trading off direct GitHub costs (pro -> enterprise) for the labor of keeping the fork in sync.

[ohmer]

you're hoping for an unfunded volunteer organization to take on direct (domain) and indirect (labor) costs.

I do realize this is putting my burden onto you. Fair answer, I understand your position. Thanks for taking the time to answer and for contributing such a great tool.