Add bot branch protection bypass in root-signing-staging

jku commented 7 months ago

This uses sigstore/github-sync#127 (a new field in repository branch protection).

The purpose here is to

give sigstore-bot ability to bypass PR requirement for frequent online signing in sigstore/root-signing-staging
still require PRs and reviews from developers

I originally attempted to use a custom role for this. That has failed so the first commit removes the role. Closes #401.

-- Something to look for in pulumi preview: when I manually modify the Allow specified actors to bypass required pull requests in GitHub UI for root-signing-staging, sigstore/sigstore-oncall is already in the list somehow. Maybe that is some org setting?

github-actions[bot] commented 7 months ago

:tropical_drink: `preview` on sigstore-github-sync/sigstore/github-prod

Pulumi report

``` Previewing update (sigstore/github-prod) View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/16c4e9ea-1ed7-4247-9d1d-30ad2e39087f @ Previewing update..... pulumi:pulumi:Stack: (same) [urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod] @ Previewing update.... ~ github:index/branchProtection:BranchProtection: (update) [id=BPR_kwDOKlCAEM4Ckqsq] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-main] ~ requiredPullRequestReviews: [ ~ [0]: { ~ pullRequestBypassers: [ + [0]: "MDQ6VXNlcjg2ODM3MzY5" ] } ] - github:index/organizationCustomRole:OrganizationCustomRole: (delete) [id=13311] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/organizationCustomRole:OrganizationCustomRole::write-with-bypass] baseRole : "write" description: "write role with an additional permission to bypass branch protection" name : "write-with-bypass-3d9b256" permissions: [ [0]: "bypass_branch_protection" ] - github:index/repositoryCollaborator:RepositoryCollaborator: (delete) [id=root-signing-staging:sigstore-review-bot] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::root-signing-staging-sigstore-review-bot] permission : "push" permissionDiffSuppression: false repository : "root-signing-staging" username : "sigstore-review-bot" Resources: ~ 1 to update - 2 to delete 3 changes. 570 unchanged ```

jku commented 7 months ago

I can't completely tell if this is correct or not (since the id is gibberish to me) but it looks safe to try so I can then check what it looks like in the web UI afterwards:

      ~ github:index/branchProtection:BranchProtection: (update)
          [id=BPR_kwDOKlCAEM4Ckqsq]
          [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-main]
        ~ requiredPullRequestReviews: [
            ~ [0]: {
                    ~ pullRequestBypassers: [
                        + [0]: "MDQ6VXNlcjg2ODM3MzY5"
                      ]
                  }
          ]

haydentherapper commented 7 months ago

cc tsc @bobcallaway @trevrosen @lukehinds @priyawadhwa @SantiagoTorres for merge

jku commented 7 months ago

...and of course it failed :disappointed:

EDIT: no, it did not fail -- looks like I was looking at the wrong run.

This is the real run https://github.com/sigstore/community/actions/runs/7930594137/job/21653183446

sigstore / community