prioritise evaluation for PRs with security label

NixOS / ofborg

@ofborg tooling automation https://monitoring.ofborg.org/dashboard/db/ofborg

https://ofborg.org

MIT License

232 stars 166 forks source link

prioritise evaluation for PRs with security label #653

Open felschr opened 11 months ago

felschr commented 11 months ago

How about prioritising evaluation for PRs with the 1.severity: security label? That could speed up the process of patching vulnerabilities.

Related: #397

felschr commented 11 months ago

Another idea: At least for PRs with the security label, ofborg could create automatic backport PRs right away instead of waiting for the original PR to be merged. This would also start the evaluation right away.

Not entirely sure how problematic that would be with referencing commit hashes in the cherry picked commits. Perhaps the PR could be created as a draft (which still invokes evaluation) and once the original PR is merged it could be updated & marked as ready. Ideally without causing another evaluation.

This would simplify & speed up backports of security fixes even further.

Related: #437

Artturin commented 11 months ago

automatic backports would be more suitable for a github action because ofborg doesn't create commits.

felschr commented 11 months ago

Oh, you're right. I kinda thought those were created by ofborg as well, but I mixed that up. It might still require some kind of coordination between ofborg & the backport GitHub action.

What happens when a force-push only updates commit messages, and contents remain unchanged from before? Does that cause a reevaluation by ofborg? Could that be avoided?

mweinelt commented 11 months ago

ofborg could create automatic backport PRs right away instead of waiting for the original PR to be merged.

Security responses for the stable release are usually different from that we take for unstable. This means we often cannot backport the change we did to master.