GSA .allstar

[JJediny]

• [x] Current list of Allstar for the OptIn methods is not aligned with the the actions run https://github.com/GSA/.allstar/blob/main/allstar.yaml -> https://github.com/GSA/.allstar/actions

Background

optIn/optOut/optWhatever logic is nearly incomprehensible garbage in AllStar.

GSA-TTS switched to optOut and control which repos are processed solely through permissions on the AllStar bot

{"severity":"INFO","org":"GSA","repo":"accessibility-for-teams","area":"Branch Protection","time":"2024-10-22T15:13:48Z","message":"Policy run skipped as repo is not enabled and doNothingOnOptOut is configured."}

Debugging Steps

• [x] .allstar/allstar.yaml - optOutStrategy is true so optInRepos is ignored (per https://github.com/ossf/allstar?tab=readme-ov-file#org-level-options) and all repos the bot has access to should be processed.
• [x] .allstar/branch_protection.yaml - optOutStrategy is true so branch protection checks should be made accessibility-for-teams - No AllStar configs (overrides)
• [x] DO_NOTHING_ON_OPT_OUT is set to true in
• [x] .allstar/github/workflows/allstar-run.yml

And now I say cause the first point (optOutStrategy: true ) should result in the repo being opted in, and DO_NOTHING_ON_OPT_OUT should not matter, but it seems to.

Digging through the code, if you want to use optIn lists they need to be maintained for EACH YAML FILE. So you need to have a list not only in allstar.yaml but also branch_protection.yaml , etc.

Confusing and toilsome policy logic is a major security risk, IMHO. That is why for GSA-TTS we just turn it all to optOutStrategy: true and gate which repos are processed through the permissions on the bot.

### Repos causing timeout on BinaryArtifacts Scan
- [ ] GSA/assets.FCSM
- [ ] GSA/InterimPerformance-Dot-Gov-2018
- [ ] GSA/centers-of-excellence
- [ ] USSM

Old Configuration

[JJediny]

Fixed 🎉