oras-project / oras-go

ORAS Go library
https://oras.land
Apache License 2.0
180 stars 98 forks source link

Enforce branch policies on the repository #458

Open toddysm opened 1 year ago

toddysm commented 1 year ago

To improve the security of the ORAS project we need to enforce the branch policies for this repository. I propose that we enforce the policies as follows:

Please add your comments and proposals for additional changes to this issue.

TerryHowe commented 1 year ago

If a code owner created the PR, is that one approval? I am assuming only approvals from code owners count.

toddysm commented 1 year ago

That is correct @TerryHowe - only codeowners count. And no, this is in addition to the person who submitted the PR as far as I know. We can have a relaxed policy and ask for 2 codeowner approvals only.

shizhMSFT commented 1 year ago

Few comments:

It is worth noting that "require branches to be up to date before merging" somehow conflicts with "dismiss stale PR approvals when new commits are pushed".

toddysm commented 1 year ago

I am confused with that you mean with "release doesn't apply to libraries". Is this about the branch name of is it because we do not "release" libraries? Also, it will be good to be consistent with the branch names across all ORAS projects. Also, see some comments from https://github.com/oras-project/oras/issues/862#issuecomment-1476499235 they apply here too.

github-actions[bot] commented 2 weeks ago

This issue is stale because it has been open for 60 days with no activity. Remove the stale label or comment to prevent it from being closed in 30 days.