allstar icon indicating copy to clipboard operation
allstar copied to clipboard
verified publisher icon ossf

Is it possible to define branch protections and base checks, allowing additional checks to be defined at the repo level?

Open testworksau opened this issue 3 years ago • 3 comments

We'd like to set up a defined branch protection baseline that all repositories must adhere to, for example:

optConfig:
  # All repos will use this strategy by default
  optOutStrategy: true
  # Do not allow repos to override this config
  disableRepoOverride: true

requireApproval: true
approvalCount: 1
requireSignedCommits: true

# The global status checks that must pass in order for a merge to be accepted
requireStatusChecks:
  - context: "Security Checks"

We'd like to allow teams to configure their own checks on top of this, without having to redefine the mandatory checks nor being able to override the other repo settings. For example, when the below is applied at the repo level, the settings would configure the repo to have three required checks; Security Checks, Lint, and Compile.

requireStatusChecks:
  - context: "Lint"
  - context: "Compile"

Is this currently possible to achieve via allstar?

testworksau avatar Aug 15 '22 00:08 testworksau

@testworksau The current behavior is to override the org-level list, not merge. The point was for "disable override = false" to allow removing checks. There was some discussion with the original code (#147) on which way to go.

I could see this working in different ways, happy to consider any proposals for new options.

The current way to allow more required checks, but keep "disable override = true", would be to create a <repo>/branch_protection.yaml file in your .allstar repo, and put the full list there. see https://github.com/ossf/allstar#repo-policy-configurations-in-the-org-repo

jeffmendoza avatar Aug 15 '22 16:08 jeffmendoza

Also, Welcome! Please take a look at #253 if you have a chance. =)

jeffmendoza avatar Aug 15 '22 16:08 jeffmendoza

Thanks @jeffmendoza; good to know there's a way to achieve this, even if not completely ideal for our situation.

For context, our org is made up of a number of teams, who each may own hundreds of repos, and require different status checks to complete, along the ones our infosec team consider to be mandatory. We will end up with thousands of repos in our GitHub org, so a few thousand folders in the .allstar repo won't scale well (nor would the PR workflow overhead).

I don't think the optimum approach would be for these teams to have a duplicate file in each of their repos either; they would probably want to source that Checks baseConfig from a central location, so it can be centrally managed. I'd imagine that this could either be done via a team based folder in the .allstar repo, or from a separate repo that the team owns.

Anyhow, just thinking out loud at the moment; I'll provide some feedback in the google form linked above, tomorrow 👍🏼

testworksau avatar Aug 16 '22 06:08 testworksau