Comments (8)
The name of the branch in the status check is intentionally to prevent cases where a policy could be updated on a less secure branch without being properly approved. See this comment in #57 for a better explaination
from policy-bot.
So is the only solution for me to manually go to every release branch in GHE (and remember to do this forever into the future when we cut release branches) and ensure that the status check requirement is checked?
from policy-bot.
I'm open to other solutions too, I just proposed the first one that came to mind since it was clearly the most obvious one.
from policy-bot.
I'm curious if there has been any development in this area. This seems like a pretty major issue for any repository that happens to cut release branches.
from policy-bot.
@jamestoyer I understand security concerns, but maybe check name could be made configurable - to contain branch or not? We have about 30 repos with up to 10 hotfix-x.x branches. Right now there is a wildcard filter in the protection rule, it will be quite hard for us to create new rules with every release when we create a new hotfix branch in every repo. And our developers are pretty honest to not do magic with retargeting PRs.
from policy-bot.
I'm not sure if @jamestoyer still actively contributing here.
@bluekeyes maybe you can share your thoughts? Is the idea to add an option to remove branch from check name sounds reasonable and if yes - is there a possibility that this could be added in near future?
from policy-bot.
Its configurable at the server level by using the post_insecure_status_checks
option.
policy-bot/server/handler/base.go
Lines 67 to 70 in 3e22bd4
Given that this issue is a pretty easy hole to exploit, we're likely not looking to make this option easier to foot gun.
from policy-bot.
Thanks @asvoboda, will give it a try.
from policy-bot.
Related Issues (20)
- Allow '=' as comparison operator HOT 1
- Misleading documentation about file path regular expressions HOT 1
- AppID ENV Variable not respected HOT 2
- Confusing behavior with skipped checks. HOT 5
- Add feature to use request more reviewers than required count in case of random-users HOT 1
- [Question] Approval by teams agregator
- Declarative Testing of Policies HOT 5
- Certain merges can lead to ignored commits during evaluation
- Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs HOT 3
- If no rule matches can policy-bot not set a failed status on the PR? HOT 1
- Unable to run policy-bot behind a reverse-prxoy HOT 3
- `common.IsActor()` does not actually use `ctx` and can be simplified.
- Condition for not having specific label(s) HOT 6
- has_successful_status causes review requests while PR has draft status HOT 5
- Status check clarification HOT 2
- Feature Request: Predicate to skip rule if a file was changed HOT 6
- Feature Request: Option to count skipped jobs in has_successful_status HOT 2
- Clarify why users are "disqualified" when approval is ignored
- Create new production Release 🚀 HOT 1
- Connecting lines broken when hiding skipped rules with errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-bot.