GCHQDeveloper314
commented
6 months ago Removing the automatic merge and requiring PRs instead could work but I would favour changing the token so that it's provided by a GitHub App. This is fetched at runtime and doesn't require any secrets to be stored.
Repository settings can then be configured so that only the App (bot) user is allowed to make commits without a PR and approvals. The App user could also be set as the committer.
The release pipeline should be tidied up, release branches could be removed and replaced with tagging the master branch.
Additionally, a lot of the release pipelines rely on an admin's GitHub token in order to commit to protected branches: https://github.com/gchq/Gaffer/blob/b2bca5ed5b91409f5db36d57add4d5a70aa30bfb/.github/workflows/release.yaml#L31
Ideally this would be replaced with PRs perhaps, and the
ADMIN_GITHUB_TOKENremoved.