search

step-security / secure-repo

Orchestrate GitHub Actions Security
https://app.stepsecurity.io
GNU Affero General Public License v3.0
251 stars 41 forks source link

Setup release-monitor for com.github.ben-manes.caffeine/caffeine #686

Open varunsh-coder opened 2 years ago

varunsh-coder commented 2 years ago

This issue is to track setting up release-monitor for https://github.com/ben-manes/caffeine. The expected release process KB for the library is here.

Notification preference is email or issue in the repo.

/cc @ben-manes

varunsh-coder commented 2 years ago

Hi @ben-manes, the first release of the release-monitor is ready. Please give it a try and let me know your feedback. You can install the App from here: https://github.com/apps/stepsecurity-app. Once you install it on the https://github.com/ben-manes/caffeine repository, every time there is a GitHub release, it will check if the expected release process was followed.

If not, an issue like this will be created.

As of now, it does not correlate the release in maven repository with the GitHub release. I will get back once that correlation is added.

Please let me know if you have feedback. These are some ideas I have been thinking about:

  1. We can create an issue if one of the allowed branches is not a protected branch, should this be a feature?
  2. Would you prefer to place the expected release process as code file in your own repo?
ben-manes commented 2 years ago

Installed.

  1. I think that is a good reminder if a one-time notification per branch. It is low nuisance and prompted me to make them protected. It of course should not be a requirement.
  2. To scale adoption and maintainability, I think the configuration should reside in the target project.
varunsh-coder commented 2 years ago

I noticed that a new release was published. Release monitor analyzed it and it was as expected. This is what was logged in the backend. First release to be monitored by Release Monitor!

Release was as expected {ben-manes caffeine [master] 2128448d841adadd4646b12abe0d9b19a55f5f2f v3.1.1 release.yml}

I am wondering if there is a non-intrusive way to communicate that it was as expected, like via a status or something. Thoughts?

ben-manes commented 2 years ago

that's awesome! There is a check api for commits, but it isn't super useful and needs a token (e.g. PAT). A badge would be too much given this is a sanity check so more for if things go wrong. Maybe a comment on the commit from your bot to conform that it passed the release? Not really sure either...