Open swirtSJW opened 1 year ago
I usually catch these on code review, but I can see in our composer.json that I clearly let one past the goalie.
FWIW: I wouldn't be opposed to putting this functionality into composer patches itself. There are github URLs and such too that could be excluded.
Description
Our patching process should not allow merge request based patches, so as a security precaution we should have a test that checks our composer.json for "/merge_requests/" and fails if it finds it.
The risk?
A patch that comes from the merge request is altered. It will float with the PR. This creates a situation where a MR change on d.o could intentionally or unintentionally break our site or pipeline with no way for us prevent it.
Patches should always be to files that can not change once added to d.o, not dynamically generated from a MR.
Acceptance Criteria
https://git.drupalcode.org/project/geocoder/-/merge_requests/19.patch
is added, the required test fails.CMS Team
Please check the team(s) that will do this work.
Program
Platform CMS Team
Sitewide Crew
⭐️ Sitewide CMS
⭐️ Public Websites
⭐️ Facilities
⭐️ User support