search

eclipse-edc / .eclipsefdn

Repository to host configurations related to the Eclipse Foundation.
https://eclipse-edc.github.io/.eclipsefdn/
0 stars 2 forks source link

Adding branch protection rules #3

Open ghost opened 9 months ago

ghost commented 9 months ago

The Security Team at the EF would like to assist your project by enhancing their security posture by applying basic branch protection rules for all the repositories of this Github Organization. To do that, we will walk through you the diverse options available, ensuring you can effortlessly you can create PRs that suit your need.

ghost commented 9 months ago

In your otterdog configuration file, you can add a branch protection rule for a repo following the example below for a repository called myrepo:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule(main)
  ],

The snippet above will add a default branch protection rule for the main branch of the repository named myrepo. Setting by default the following features below:

{
  "allows_deletions": false,
  "allows_force_pushes": false,
  "blocks_creations": false,
  "bypass_force_push_allowances": [],
  "bypass_pull_request_allowances": [],
  "dismisses_stale_reviews": false,
  "is_admin_enforced": false,
  "lock_allows_fetch_and_merge": false,
  "lock_branch": false,
  "pattern": "myrepo",
  "push_restrictions": [],
  "require_last_push_approval": false,
  "required_approving_review_count": 2,
  "required_deployment_environments": [],
  "required_status_checks": [
    "eclipse-eca-validation:eclipsefdn/eca"
  ],
  "requires_code_owner_reviews": false,
  "requires_commit_signatures": false,
  "requires_conversation_resolution": false,
  "requires_deployments": false,
  "requires_linear_history": false,
  "requires_pull_request": true,
  "requires_status_checks": true,
  "requires_strict_status_checks": false,
  "restricts_pushes": false,
  "restricts_review_dismissals": false,
  "review_dismissal_allowances": []
}

In case, you need define custom settings. You can play around with the settings by using the playground feature at https://eclipse-edc.github.io/.eclipsefdn/configuration/. Where you could adjust any default settings. Please find below an example where required_approving_review_count has been configured to 0:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    orgs.newBranchProtectionRule(main) {
      required_approving_review_count: 0,
    }
  ],

The PR created to add branch protection rules will not require any approvals to merge, but they will still required before pushing to the main branch.

Furthermore, If you would like to create a template function for branch protection rules in your organization to reuse them, you could do something similar to the example below:

local custom_branch_protection_rule(pattern) = 
  orgs.newBranchProtectionRule(pattern) {
    required_approving_review_count: 0,
  };

and then use that function:

orgs.newRepo(myrepo) {
  ...
  branch_protection_rules: [
    custom_branch_protection_rule(main),
  ],

If you need any help or guidance, please respond to this ticket.

ghost commented 9 months ago

Finally, please keep in mind that you can get the list of repositories without branch protection rules using otterdog dashboard at https://eclipse-edc.github.io/.eclipsefdn/configuration/ by clicking on Repositories option.