Open Mierdin opened 7 years ago
arm4b
commented
7 years ago +1 on this.
It will also help us to automate st2cicd node creation and committing new Terraform resources to ops-infra. At the moment we need to sync up 3 places: st2cicd, ops-infra master and ops-infra NOMERGE/build-node cc @bigmstone
bigmstone
commented
7 years ago I'm -1 to protect/unprotect. I'd rather programmatically create a PR, approve it, and merge it. This will keep a better audit trail and easier to parse diff in github. I'm going to attempt to tackle this in st2cicd and see what the limitations are. If successful someone can copy the method over for release mgmt.
Mierdin
commented
7 years ago Agreed, creation of a PR would be a better way to go, just a bit more work
arm4b
commented
6 years ago This definitely should be automated, since applying this manually is error-prone:
note the ci/circleci: deploy (required) task which was included by mistake by the release manager during master unprotection/protection.
arm4b
commented
6 years ago We just have found a possible easy solution for this issue.
For branch protection, Github has an option to enforce status checks for Administrators.
If unchecked, repo administrator (esteetew during the release automation) can push directly to master.
... the only problem is that everyone is administrator.
At least release automation can check/uncheck only one single setting, instead of unprotecting entire branch configuration.
It's 1 simple API (boolean) call:
We should look into unprotecting and protecting
masterprogrammatically. Several workflows inst2cdpush directly tomasterin a few repos - and currently we have to unprotect (and more importantly remember to re-protect) manually.