DNM: test pulumi update

haydentherapper commented 3 months ago

Summary

Release Note

Documentation

github-actions[bot] commented 3 months ago

:tropical_drink: `preview` on sigstore-github-sync/sigstore/github-prod

Pulumi report

``` Previewing update (sigstore/github-prod) View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/57c7b18e-94a4-4679-ab3d-3b24dda95b8e @ Previewing update..... pulumi:pulumi:Stack: (same) [urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFOlTKs4Bj3xo] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::.github-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNTA4MzU0OTg=" => "MDEwOlJlcG9zaXRvcnkzNTA4MzU0OTg=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ strict: false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHdxLW84Cg-2P] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::architecture-docs-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHdxLWw" => "R_kgDOHdxLWw" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AXnDe" => "T_kwDOBDzYIc4AXnDe" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "T_kwDOBDzYIc4AXnDe" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFH9Yps4B9d-R] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::TSC-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNDM4OTAwODY=" => "MDEwOlJlcG9zaXRvcnkzNDM4OTAwODY=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ1NjMzOTE=" => "MDQ6VGVhbTQ1NjMzOTE=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ1NjMzOTE=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFHiDJM4B9d_-] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::community-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNDM0NDIyMTI=" => "MDEwOlJlcG9zaXRvcnkzNDM0NDIyMTI=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ1NjMzOTE=" => "MDQ6VGVhbTQ1NjMzOTE=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ1NjMzOTE=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFAY6Ic4B9d__] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::cosign-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzMzU5NTI0MTc=" => "MDEwOlJlcG9zaXRvcnkzMzU5NTI0MTc=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "Run unit tests (ubuntu-latest)" => "Check Whitespace" ~ [1]: "Run PowerShell E2E tests" => "DCO" ~ [2]: "lint" => "Do Not Submit" ~ [3]: "Run unit tests (macos-latest)" => "Run PowerShell E2E tests" ~ [4]: "license boilerplate check" => "Run e2e tests" ~ [5]: "Check Whitespace" => "Run unit tests (macos-latest)" ~ [6]: "DCO" => "Run unit tests (ubuntu-latest)" ~ [7]: "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" => "Run unit tests (windows-latest)" ~ [8]: "Do Not Submit" => "Verify Docgen" ~ [9]: "attest / verify-attestation test (v1.25.x, remote)" => "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" ~ [10]: "Verify Docgen" => "license boilerplate check" ~ [11]: "attest / verify-attestation test (v1.25.x, air-gap)" => "lint" ~ [12]: "validate-release-job" => "validate-release-job" ~ [13]: "Run e2e tests" => "attest / verify-attestation test (v1.25.x, remote)" ~ [14]: "Run unit tests (windows-latest)" => "attest / verify-attestation test (v1.25.x, air-gap)" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjIwOTI=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFAY6Ic4B9eAC] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::cosign-release-1.13] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "release-1.13" => "release-1.13" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzMzU5NTI0MTc=" => "MDEwOlJlcG9zaXRvcnkzMzU5NTI0MTc=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "build (ubuntu-latest)" => "Check Whitespace" ~ [1]: "Run unit tests (ubuntu-latest)" => "DCO" ~ [2]: "Run PowerShell E2E tests" => "Do Not Submit" ~ [3]: "lint" => "Run PowerShell E2E tests" ~ [4]: "Run unit tests (macos-latest)" => "Run e2e tests" ~ [5]: "license boilerplate check" => "Run unit tests (macos-latest)" ~ [6]: "Check Whitespace" => "Run unit tests (ubuntu-latest)" ~ [7]: "DCO" => "Run unit tests (windows-latest)" ~ [8]: "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" => "Verify Docgen" ~ [9]: "build (macos-latest)" => "build (macos-latest)" ~ [10]: "Do Not Submit" => "build (ubuntu-latest)" ~ [11]: "Verify Docgen" => "build (windows-latest)" ~ [12]: "build (windows-latest)" => "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" ~ [13]: "validate-release-job" => "license boilerplate check" ~ [14]: "Run e2e tests" => "lint" ~ [15]: "attest / verify-attestation test (v1.24.x)" => "validate-release-job" ~ [16]: "Run unit tests (windows-latest)" => "attest / verify-attestation test (v1.24.x)" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjIwOTI=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOGaGiic4B9eCp] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::cosign-gatekeeper-provider-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : false => false ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOGaGiiQ" => "R_kgDOGaGiiQ" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFO8Qr84B9eCs] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::cosign-installer-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNTEyMTE2OTU=" => "MDEwOlJlcG9zaXRvcnkzNTEyMTE2OTU=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ3MjgxMjA=" => "MDQ6VGVhbTQ3MjgxMjA=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjgxMjA=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOF0A5Qs4B9eEl] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::dex-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzOTAwODQ5MzA=" => "MDEwOlJlcG9zaXRvcnkzOTAwODQ5MzA=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHshE7s4B9eEm] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::docs-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHshE7g" => "R_kgDOHshE7g" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOGLA7qc4BhVmD] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::fish-food-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : false => false ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOGLA7qQ" => "R_kgDOGLA7qQ" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ strict: false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFFxbIM4B9eEo] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::fulcio-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNDE1OTY5NjA=" => "MDEwOlJlcG9zaXRvcnkzNDE1OTY5NjA=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ3MjE3NTE=" => "MDQ6VGVhbTQ3MjE3NTE=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "k8s manifest check" => "DCO" ~ [1]: "check-signature" => "build" ~ [2]: "oidc-config" => "Analyze (go)" ~ [3]: "build" => "check-signature" ~ [4]: "license boilerplate check" => "license boilerplate check" ~ [5]: "DCO" => "k8s manifest check" ~ [6]: "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" => "validate-release-job" ~ [7]: "Analyze (go)" => "License and Vulnerability Scan / Scan dependencies for license compliance and vulnerabilities" ~ [8]: "validate-release-job" => "golangci-lint" ~ [9]: "verify-k8s-deployment (Meta Issuer)" => "verify-k8s-deployment (OIDC Issuer)" ~ [10]: "verify-k8s-deployment (OIDC Issuer)" => "verify-k8s-deployment (Meta Issuer)" ~ [11]: "CodeQL" => "oidc-config" ~ [12]: "golangci-lint" => "CodeQL" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjE3NTE=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFFxbIM4B9eEt] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::fulcio-release-1.0] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "release-1.0" => "release-1.0" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNDE1OTY5NjA=" => "MDEwOlJlcG9zaXRvcnkzNDE1OTY5NjA=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ3MjE3NTE=" => "MDQ6VGVhbTQ3MjE3NTE=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "build" => "DCO" ~ [1]: "DCO" => "build" ~ [2]: "Analyze (go)" => "Analyze (go)" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjE3NTE=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHwx1DM4B9eGv] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::github-sync-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHwx1DA" => "R_kgDOHwx1DA" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHlAGVM4B9eGy] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::gh-action-sigstore-python-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHlAGVA" => "R_kgDOHlAGVA" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "all-selftests-pass" => "DCO" ~ [1]: "lint" => "lint" ~ [2]: "DCO" => "all-selftests-pass" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFmprcM4B9eGu] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::helm-charts-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNzYwNzMwNzI=" => "MDEwOlJlcG9zaXRvcnkzNzYwNzMwNzI=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHUzPs84B9eGn] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::gitsign-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHUzPsw" => "R_kgDOHUzPsw" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "lint" => "DCO" ~ [1]: "license boilerplate check" => "e2e" ~ [2]: "DCO" => "ci" ~ [3]: "e2e" => "generate-docs" ~ [4]: "validate-release" => "license boilerplate check" ~ [5]: "ci" => "lint" ~ [6]: "generate-docs" => "validate-release" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFeHrBM4B9eJI] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::helm-sigstore-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNjcxMjczMDA=" => "MDEwOlJlcG9zaXRvcnkzNjcxMjczMDA=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ4MDc2NTM=" => "MDQ6VGVhbTQ4MDc2NTM=" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : true => true } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ4MDc2NTM=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFzE1RM4B9eJL] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::homebrew-tap-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : false => false ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzODkxMDA4Njg=" => "MDEwOlJlcG9zaXRvcnkzODkxMDA4Njg=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "test-bot (macos-latest)" => "DCO" ~ [1]: "test-bot (ubuntu-latest)" => "test-bot (macos-latest)" ~ [2]: "DCO" => "test-bot (ubuntu-latest)" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFp9O-M4B9eJK] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::k8s-manifest-sigstore-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNzk1MzkxOTI=" => "MDEwOlJlcG9zaXRvcnkzNzk1MzkxOTI=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ5MTAyMTA=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOKKk2Ts4Cb5BN] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::model-transparency-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOKKk2Tg" => "R_kgDOKKk2Tg" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AlHtP" => "T_kwDOBDzYIc4AlHtP" ] ~ requireCodeOwnerReviews : true => true ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "T_kwDOBDzYIc4AlHtP" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOHUzRc84B9eJN] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::policy-controller-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOHUzRcw" => "R_kgDOHUzRcw" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_from_configmap_with_fetch_config_file)" => "Check Whitespace" ~ [1]: "Run unit tests (ubuntu-latest)" => "DCO" ~ [2]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, remote)" => "Do Not Submit" ~ [3]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_typemeta)" => "Run unit tests (ubuntu-latest)" ~ [4]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_attestations)" => "Verify codegen" ~ [5]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_spec)" => "check gofmt" ~ [6]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_attestations_rego)" => "check goimports" ~ [7]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_objectmeta)" => "dependency-review / Scan dependencies for license compliance and vulnerabilities" ~ [8]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_warn)" => "license boilerplate check" ~ [9]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_from_url)" => "lint" ~ [10]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy)" => "verify" ~ [11]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_fetch_config_file)" => "e2e tests (v1.23.x)" ~ [12]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_warn)" => "e2e tests (v1.24.x)" ~ [13]: "dependency-review / Scan dependencies for license compliance and vulnerabilities" => "e2e tests (v1.25.x)" ~ [14]: "lint" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy)" ~ [15]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, repository)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_with_scalable)" ~ [16]: "e2e tests (v1.23.x)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_attestations)" ~ [17]: "Verify codegen" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_typemeta)" ~ [18]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, bring_own_keys)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_warn)" ~ [19]: "check gofmt" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_source)" ~ [20]: "license boilerplate check" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_fetch_config_file)" ~ [21]: "Check Whitespace" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_spec)" ~ [22]: "DCO" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_objectmeta)" ~ [23]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, bring_own_keys)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_attestations_rego)" ~ [24]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_objectmeta)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_from_configmap_with_fetch_config_file)" ~ [25]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, repository)" => "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_from_url)" ~ [26]: "verify" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy)" ~ [27]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_with_scalable)" ~ [28]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_from_configmap_with_fetch_config_file)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_attestations)" ~ [29]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_from_url)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_typemeta)" ~ [30]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_attestations)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_warn)" ~ [31]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_spec)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_source)" ~ [32]: "Do Not Submit" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_fetch_config_file)" ~ [33]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_source)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_spec)" ~ [34]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_objectmeta)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_objectmeta)" ~ [35]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, remote)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_attestations_rego)" ~ [36]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_source)" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_from_configmap_with_fetch_config_file)" ~ [37]: "check goimports" => "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_from_url)" ~ [38]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_from_configmap_with_fetch_config_file)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy)" ~ [39]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_attestations_rego)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_with_scalable)" ~ [40]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_from_url)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_attestations)" ~ [41]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_include_typemeta)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_typemeta)" ~ [42]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_include_typemeta)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_warn)" ~ [43]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_image_policy_with_fetch_config_file)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_source)" ~ [44]: "e2e tests (v1.24.x)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_fetch_config_file)" ~ [45]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_warn)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_spec)" ~ [46]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, remote)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_objectmeta)" ~ [47]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_attestations_rego)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_attestations_rego)" ~ [48]: "e2e tests (v1.25.x)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_from_configmap_with_fetch_config_file)" ~ [49]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_source)" => "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_from_url)" ~ [50]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_include_spec)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, repository)" ~ [51]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, bring_own_keys)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, remote)" ~ [52]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_image_policy_with_fetch_config_file)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, bring_own_keys)" ~ [53]: "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.23.x, repository)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, repository)" ~ [54]: "ClusterImagePolicy e2e tests (v1.23.x, cluster_with_scalable)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, remote)" ~ [55]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_with_scalable)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.24.x, bring_own_keys)" ~ [56]: "ClusterImagePolicy e2e tests (v1.24.x, cluster_with_scalable)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, repository)" ~ [57]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, remote)" ~ [58]: "ClusterImagePolicy e2e tests (v1.25.x, cluster_image_policy_with_attestations)" => "ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys (v1.25.x, bring_own_keys)" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOIRmanc4B9eLq] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::protobuf-specs-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOIRmanQ" => "R_kgDOIRmanQ" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AaGEI" => "T_kwDOBDzYIc4AaGEI" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "T_kwDOBDzYIc4AaGEI" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOE_4TZc4B9eLr] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::public-good-instance-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzMzU0MTgyMTM=" => "MDEwOlJlcG9zaXRvcnkzMzU0MTgyMTM=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : false => false ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOEEUXGc4B9eLs] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::rekor-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkyNzI5NjMzNTM=" => "MDEwOlJlcG9zaXRvcnkyNzI5NjMzNTM=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "build" => "build" ~ [1]: "license boilerplate check" => "DCO" ~ [2]: "DCO" => "e2e" ~ [3]: "e2e" => "Analyze (go)" ~ [4]: "issue-872-e2e" => "CodeQL" ~ [5]: "Analyze (go)" => "harness" ~ [6]: "validate-release-job" => "issue-872-e2e" ~ [7]: "harness" => "sharding-e2e" ~ [8]: "container-build" => "validate-release-job" ~ [9]: "CodeQL" => "container-build" ~ [10]: "sharding-e2e" => "license boilerplate check" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjE0NDg=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOEEUXGc4B9eLu] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::rekor-release-1.0] ~ allowsDeletions : true => true ~ allowsForcePushes : false => false ~ enforceAdmins : false => false ~ lockBranch : false => false ~ pattern : "release-1.0" => "release-1.0" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkyNzI5NjMzNTM=" => "MDEwOlJlcG9zaXRvcnkyNzI5NjMzNTM=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : false => false ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : false => false } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "build" => "build" ~ [1]: "DCO" => "DCO" ~ [2]: "e2e" => "e2e" ~ [3]: "Analyze (go)" => "Analyze (go)" ~ [4]: "CodeQL" => "CodeQL" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjE0NDg=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFBic3c4B9eLx] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::rekor-monitor-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzMzcxNTczNDE=" => "MDEwOlJlcG9zaXRvcnkzMzcxNTczNDE=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "MDQ6VGVhbTQ3MjIyMjE=" => "MDQ6VGVhbTQ3MjIyMjE=" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "lint" => "DCO" ~ [1]: "license boilerplate check" => "lint" ~ [2]: "Run unit tests" => "license boilerplate check" ~ [3]: "DCO" => "Run unit tests" ~ [4]: "dependency-review" => "dependency-review" ~ [5]: "Analyze (go)" => "Analyze (go)" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "MDQ6VGVhbTQ3MjIyMjE=" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOG8tQu84CImeC] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::rekor-search-ui-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "R_kgDOG8tQuw" => "R_kgDOG8tQuw" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AdQAy" => "T_kwDOBDzYIc4AdQAy" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "Action lint" => "Prettier" ~ [1]: "ESLint" => "Spacing" ~ [2]: "DCO" => "DCO" ~ [3]: "Prettier" => "ESLint" ~ [4]: "Spacing" => "Action lint" ~ [5]: "Do not submit" => "Do not submit" ] ~ strict : false => false } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFotDCM4B9eNe] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-main] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "main" => "main" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNzgyMjU0MTY=" => "MDEwOlJlcG9zaXRvcnkzNzgyMjU0MTY=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AYVWd" => "T_kwDOBDzYIc4AYVWd" ~ [1]: "MDQ6VGVhbTQ4OTkzMDk=" => "MDQ6VGVhbTQ4OTkzMDk=" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "lint" => "DCO" ~ [1]: "test" => "yamllint" ~ [2]: "client" => "test" ~ [3]: "DCO" => "lint" ~ [4]: "yamllint" => "validate" ~ [5]: "validate" => "client" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "T_kwDOBDzYIc4AYVWd" + [1]: "MDQ6VGVhbTQ4OTkzMDk=" + [2]: "MDQ6VXNlcjg2ODM3MzY5" + [3]: "U_kgDOByoNQQ" ] } ] +-github:index/branchProtection:BranchProtection: (replace) [id=BPR_kwDOFotDCM4CDLrs] [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-test-ceremony/*] ~ allowsDeletions : false => false ~ allowsForcePushes : false => false ~ enforceAdmins : true => true ~ lockBranch : false => false ~ pattern : "test-ceremony/*" => "test-ceremony/*" ~ repositoryId : "MDEwOlJlcG9zaXRvcnkzNzgyMjU0MTY=" => "MDEwOlJlcG9zaXRvcnkzNzgyMjU0MTY=" ~ requireConversationResolution: false => false ~ requireSignedCommits : false => false ~ requiredLinearHistory : true => true ~ requiredPullRequestReviews : [ ~ [0]: { ~ dismissStaleReviews : true => true ~ dismissalRestrictions : [ ~ [0]: "T_kwDOBDzYIc4AYVWd" => "T_kwDOBDzYIc4AYVWd" ~ [1]: "MDQ6VGVhbTQ4OTkzMDk=" => "MDQ6VGVhbTQ4OTkzMDk=" ] ~ requireCodeOwnerReviews : false => false ~ requireLastPushApproval : true => true ~ requiredApprovingReviewCount: 1 => 1 ~ restrictDismissals : true => true } ] ~ requiredStatusChecks : [ ~ [0]: { ~ contexts: [ ~ [0]: "DCO" => "DCO" ] ~ strict : false => false } ] + restrictPushes : [ + [0]: { + blocksCreations: true + pushAllowances : [ + [0]: "T_kwDOBDzYIc4AYVWd" + [1]: "MDQ6VGVhbTQ4OTkzMDk=" + [2]: "MDQ6VXNlcjg2ODM3MzY5" + [3]: "U_kgDOByoNQQ" ] } ``` **Warn**: The output was too long and trimmed.

jku commented 3 months ago

So the result seems to be that every Branch Protection gets this addition:

  + restrictPushes               : [
  +     [0]: {
          + blocksCreations: true
          + pushAllowances : [
          +     [0]: "T_kwDOBDzYIc4AYVWd"
          +     [1]: "MDQ6VGVhbTQ4OTkzMDk="
          +     [2]: "MDQ6VXNlcjg2ODM3MzY5"

blocksCreations is a new option in GitHub: I believe true as default makes sense but it also changes what used to be the default (as crazy as it sounds, creating new protected branches was not protected).

I will review some specific projects to see if the pushAllowances list makes sense -- I'm a little surprised something like this was not in there already?

jku commented 3 months ago

To my best understanding these are correct:

an empty pushAllowances list does not mean pushes are not allowed: Organization administrators, repository administrators, and users with the Maintain role on the repository can always push when all other requirements have passed (this means we could clean up repositories.yaml quite a bit by removing maintainers from pushRestrictions list)
the pushAllowances list seems to be reasonable for the projects I checked
blocksCreations: true seems completely reasonable to me: If someone wants to override that, they would have to add support to github-sync though

I'm still baffled by how we only get an added pushAllowances but nothing was removed... What happened to the the PushRestrictions used in the previous pulumi-github version?

I wish there was a way to deploy this to one or two projects first :)

haydentherapper commented 3 months ago

We could make the change in the conformance org which would only affect one project.

jku commented 3 months ago

an empty pushAllowances list does not mean pushes are not allowed: Organization administrators, repository administrators, and users with the Maintain role on the repository can always push when all other requirements have passed

I keep re-reading this and I'm not sure if it can be true. What does the "restrict who can push" checkbox even mean at this point?

It seems the checkbox actually means "allow more people to push" instead of "restrict who can push"? the docs on all sides are kind of bad but this would actually be in line with the new argument name: pushAllowances vs restrictions...

jku commented 3 months ago

We could make the change in the conformance org which would only affect one project.

I think this would be useful. However, I don't have access to the project settings in GitHub UI so I can't compare what it looks right now and what it looks like after applying... Would maybe have to add admin permissions first.

Before that can we figure out this:

The UI has a checkbox for Restrict who can push to matching branches (after checking the checkbox you can add users and teams):
so what is the equivalent of not checking that checkbox when using the API?
or does checking the checkbox in itself do nothing?

My current assumption based on careful reading of various docs is:

when the box is not checked, all collaborators can still push to the branch (if other rules do not prevent the push)
If the the box is checked, only maintainers can push to the branch (if other rules do not prevent the push)

jku commented 3 months ago

I've got a possible branch in https://github.com/jku/github-sync/tree/tweak-push-restrictions: it tries to avoid setting restrictPushes at all if the list is empty. I assume this is the equivalent of not checking the checkbox at all.

You could modify github-sync-pr-sigstore.yml in this PR to do uses: jku/github-sync@tweak-push-restrictions instead of sigstore/github-sync@main if you want to test that one...

haydentherapper commented 3 months ago

when the box is not checked, all collaborators can still push to the branch (if other rules do not prevent the push) If the the box is checked, only maintainers can push to the branch (if other rules do not prevent the push)

That sounds correct to me, and your fix SGTM. From what I understand, the difference is that those with push permissions can both review and merge if the check box is unselected, but only review if the check box is selected (we leverage this in some repos for example to differentiate between reviewers vs codeowners)

haydentherapper commented 2 months ago

@jku reran based on merged sync PR

jku commented 2 months ago

So no change from the github-sync PR merge...

I can't explain why there is a change to restrictPushes.pushAllowances: it's as if that setting had never been set?
I can't actually check what these settings look like in GitHub UI as I'm not an admin on any sigstore project

haydentherapper commented 2 months ago

Created https://github.com/sigstore/community/pull/434 so that we (we = TSC or anyone who's a maintainer on this repo) can manually run preview and up to sync.

This SDK bump seems safe, though we'll try in the conformance org first.

sigstore / community