Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate Github Protected Branch/Tag Rules rules to Github Repository Rules rulesets #38

Open
1 task done
achrinza opened this issue Nov 11, 2023 · 0 comments
Open
1 task done

Migrate Github Protected Branch/Tag Rules rules to Github Repository Rules rulesets #38

achrinza opened this issue Nov 11, 2023 · 0 comments

Comments

@achrinza
Copy link
Member

achrinza commented Nov 11, 2023
edited
Loading

Github Repository Rules, which has reached general-availability, is an evolution of Github Protected Branch/Tag. This issue is to track:

  1. Converting existing Github Protected Branch/Tag rules to Github Repository Rules rulesets
  2. Disabling the older branch protection rules and api

Further discussions

With this new solution, we should also consider the new potentials for enforcing repository security.

Org-wide enforcement

Enforcing an org-wide Github Repository Rules ruleset is only available for Github Enterprise users. However, we can consider creating a Github Action workflow in https://github.com/loopbackio/cicd to periodically poll and enforce. This would be of similar concept to our potential adoption of Peribolos (loopbackio/cicd#26).

Although the adoption of the OpenSSF Scorecard Action (#25) would allow us to detect non-compliance, it is not granular enough, does not have auditable self-remediation capabilities, and does not provide a single pane of glass.

Restricting bots' branches

TLDR: This is not fully possible.

Bots such as Renovate require push-rights to our Github repositories. However, this opens us up to third-party vendor risk where misused bot credentials can cause unwanted, destructive commit and tag modification to our repositories.

This is already partially-alleviated with the older Github Protected Branch/Tag feature, where we're able to mandate the creation of a pull request and restrict who can push new Git tags. However, we are not able to enforce this for the non-publishing (i.e. work-in-progress) branches which are created and deleted day-to-day.

Although Github Repository Rules allows layering and creation of bypass lists, it does not have an "apply to select bots/people only". This means that, even with a bypass list with non-bot members, we would still need to "bypass " the rules (i.e. "override" the rule) via the pull request page every time we want to merge. This is not ideal.

Repositories
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@achrinza