Comments (2)
I recommend requiring the policy-bot: main
status. By default, this is the only status Policy Bot will post. Since you're also seeing the plain policy-bot
status, it sounds like your organization enabled the post_insecure_status_checks
option in the server configuration.
Policy Bot always reads the policy file from the target branch of the pull request, so the two statuses will always have the same value. Unfortunately, reading from the target branch causes a problem when using the status check without the branch name: a user can generate a passing policy-bot
status by manipulating the target branch of their commit. Suppose you have a branch called bypass-policy-bot
that you want to get a passing check on:
- Create a branch called
no-approval
with a modified policy file that requires no approval - Make a pull request from
bypass-policy-bot
tono-approval
- Policy Bot posts a passing
policy-bot
status to the head commit ofbypass-policy
because the policy of the target branch is satisfied - Close that PR and create a new PR from
bypass-policy-bot
tomain
- Because the head commit has a passing
policy-bot
check, you can potentially merge the PR before Policy Bot can respond to webhooks and update the status using the real policy from themain
branch
Including the target branch name in the status check context was our way to fix this issue, as a passing policy-bot: no-approval
status does not satisfy a requirement for the policy-bot: main
status.
That said, some users do not care about this flaw and prefer the simplicity of a single check that is the same on all branches. In that case, the post_insecure_status_checks
option restores the original behavior but does not disable what we consider the correct behavior (having the branch name in the check context), leading to the two checks you observed.
from policy-bot.
I recommend requiring the
policy-bot: main
status. By default, this is the only status Policy Bot will post. Since you're also seeing the plainpolicy-bot
status, it sounds like your organization enabled thepost_insecure_status_checks
option in the server configuration.Policy Bot always reads the policy file from the target branch of the pull request, so the two statuses will always have the same value. Unfortunately, reading from the target branch causes a problem when using the status check without the branch name: a user can generate a passing
policy-bot
status by manipulating the target branch of their commit. Suppose you have a branch calledbypass-policy-bot
that you want to get a passing check on:
Create a branch called
no-approval
with a modified policy file that requires no approvalMake a pull request from
bypass-policy-bot
tono-approval
Policy Bot posts a passing
policy-bot
status to the head commit ofbypass-policy
because the policy of the target branch is satisfiedClose that PR and create a new PR from
bypass-policy-bot
tomain
Because the head commit has a passing
policy-bot
check, you can potentially merge the PR before Policy Bot can respond to webhooks and update the status using the real policy from themain
branchIncluding the target branch name in the status check context was our way to fix this issue, as a passing
policy-bot: no-approval
status does not satisfy a requirement for thepolicy-bot: main
status.That said, some users do not care about this flaw and prefer the simplicity of a single check that is the same on all branches. In that case, the
post_insecure_status_checks
option restores the original behavior but does not disable what we consider the correct behavior (having the branch name in the check context), leading to the two checks you observed.
Thank you so much for the detailed explanation.
This is very helpful.
from policy-bot.
Related Issues (20)
- Allow '=' as comparison operator HOT 1
- Misleading documentation about file path regular expressions HOT 1
- AppID ENV Variable not respected HOT 2
- Confusing behavior with skipped checks. HOT 5
- Add feature to use request more reviewers than required count in case of random-users HOT 1
- [Question] Approval by teams agregator
- Declarative Testing of Policies HOT 5
- Certain merges can lead to ignored commits during evaluation
- Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs HOT 3
- If no rule matches can policy-bot not set a failed status on the PR? HOT 1
- Unable to run policy-bot behind a reverse-prxoy HOT 3
- `common.IsActor()` does not actually use `ctx` and can be simplified.
- Condition for not having specific label(s) HOT 6
- has_successful_status causes review requests while PR has draft status HOT 5
- Feature Request: Predicate to skip rule if a file was changed HOT 6
- Feature Request: Option to count skipped jobs in has_successful_status HOT 5
- Clarify why users are "disqualified" when approval is ignored
- Create new production Release 🚀 HOT 1
- Connecting lines broken when hiding skipped rules with errors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-bot.