Add test to look for /merge_requests/*.patch

swirtSJW commented 1 year ago

Description

Our patching process should not allow merge request based patches, so as a security precaution we should have a test that checks our composer.json for "/merge_requests/" and fails if it finds it.

The risk?

A patch that comes from the merge request is altered. It will float with the PR. This creates a situation where a MR change on d.o could intentionally or unintentionally break our site or pipeline with no way for us prevent it.

Patches should always be to files that can not change once added to d.o, not dynamically generated from a MR.

Acceptance Criteria

[ ] When a patch like https://git.drupalcode.org/project/geocoder/-/merge_requests/19.patch is added, the required test fails.
[ ] Error message says "Merge request based patches are a security risk and not allowed. Please copy the patch, attach it to the upstream issue as a file, and link to that."

CMS Team

Please check the team(s) that will do this work.

[ ] Program
[ ] Platform CMS Team
[ ] Sitewide Crew
[ ] ⭐️ Sitewide CMS
[ ] ⭐️ Public Websites
[ ] ⭐️ Facilities
[ ] ⭐️ User support

swirtSJW commented 1 year ago

I usually catch these on code review, but I can see in our composer.json that I clearly let one past the goalie.

cweagans commented 1 year ago

FWIW: I wouldn't be opposed to putting this functionality into composer patches itself. There are github URLs and such too that could be excluded.

department-of-veterans-affairs / va.gov-cms