Closed jku closed 7 months ago
preview
on sigstore-github-sync/sigstore/github-prodI can't completely tell if this is correct or not (since the id is gibberish to me) but it looks safe to try so I can then check what it looks like in the web UI afterwards:
~ github:index/branchProtection:BranchProtection: (update)
[id=BPR_kwDOKlCAEM4Ckqsq]
[urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-main]
~ requiredPullRequestReviews: [
~ [0]: {
~ pullRequestBypassers: [
+ [0]: "MDQ6VXNlcjg2ODM3MzY5"
]
}
]
cc tsc @bobcallaway @trevrosen @lukehinds @priyawadhwa @SantiagoTorres for merge
...and of course it failed :disappointed:
EDIT: no, it did not fail -- looks like I was looking at the wrong run.
This is the real run https://github.com/sigstore/community/actions/runs/7930594137/job/21653183446
This uses sigstore/github-sync#127 (a new field in repository branch protection).
The purpose here is to
I originally attempted to use a custom role for this. That has failed so the first commit removes the role. Closes #401.
-- Something to look for in pulumi preview: when I manually modify the Allow specified actors to bypass required pull requests in GitHub UI for root-signing-staging,
sigstore/sigstore-oncall
is already in the list somehow. Maybe that is some org setting?