Open mglazer opened 4 years ago
jamestoyer
commented
4 years ago The name of the branch in the status check is intentionally to prevent cases where a policy could be updated on a less secure branch without being properly approved. See this comment in #57 for a better explaination
mglazer
commented
4 years ago So is the only solution for me to manually go to every release branch in GHE (and remember to do this forever into the future when we cut release branches) and ensure that the status check requirement is checked?
mglazer
commented
4 years ago I'm open to other solutions too, I just proposed the first one that came to mind since it was clearly the most obvious one.
andrey-bolduzev
commented
3 years ago I'm curious if there has been any development in this area. This seems like a pretty major issue for any repository that happens to cut release branches.
dermyrddin
commented
2 years ago @jamestoyer I understand security concerns, but maybe check name could be made configurable - to contain branch or not? We have about 30 repos with up to 10 hotfix-x.x branches. Right now there is a wildcard filter in the protection rule, it will be quite hard for us to create new rules with every release when we create a new hotfix branch in every repo. And our developers are pretty honest to not do magic with retargeting PRs.
dermyrddin
commented
2 years ago I'm not sure if @jamestoyer still actively contributing here.
@bluekeyes maybe you can share your thoughts? Is the idea to add an option to remove branch from check name sounds reasonable and if yes - is there a possibility that this could be added in near future?
asvoboda
commented
2 years ago Its configurable at the server level by using the post_insecure_status_checks option.
https://github.com/palantir/policy-bot/blob/3e22bd42e4ab6493f37f5381eb55577ac55ac810/server/handler/base.go#L67-L70
Given that this issue is a pretty easy hole to exploit, we're likely not looking to make this option easier to foot gun.
dermyrddin
commented
2 years ago Thanks @asvoboda, will give it a try.
On a repository which I maintain, we have to keep a release branch system, so our release branches are named:
In order to get status checks working in Github, I create a pattern branch protection pattern:
Which allows me to add checks for everything, except for Policybot, which uniquely names every check as:
The Github UI unfortunately does not allow me to match on wildcard status checks, so I need the status check name to be constant, which for Policy bot it's not.