search

senzing-factory / build-resources

Collection of utilities to aid with build process
Apache License 2.0
1 stars 1 forks source link

Community Repository Tag Protection Rules #51

Open kernelsam opened 1 year ago

kernelsam commented 1 year ago

General

Add tag protection rules to all community repositories to prevent tag deletion or updates from anyone other than an admin. This would effect repositories in the following orgs: Senzing, senzing-garage, senzing-factory

Two options for implementation

  1. Tag protection rules, see GitHub Documentation for additional details.

    When you add a tag protection rule, all tags that match the pattern provided will be protected. Only users with admin or maintain permissions, or custom roles with the "edit repository rules" permission in the repository will be able to create protected tags, and only users with admin permissions or custom roles with the "edit repository rules" permission in the repository will be able to delete protected tags.

  2. Implemented as a ruleset.

    1. This allows us to restrict only deletion and modifications of existing protected tags, while allowing anyone with write access to create a tag.
    2. Screenshot 2024-02-06 at 10 37 08 AM
    3. Above regex based on the suggestions from SemVer.
    4. This would not require the build user to have any elevated permissions as we do not automate tag deletion.

    5. Anyone with read access to a repository can view the active rulesets for the repository. This means a developer can understand why they have hit a rule, or an auditor can check the security constraints for the repository, without requiring admin access to the repository.

Tags to protect

Documentation

Potential Issues