-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reimplement branch protection rules that had to be removed #260
Comments
We're not sure how todo this. This card is a bit "spikish". If it looks like achieving this is impossible or extremely difficult, report back to the team. |
Looks like there's no way to give GitHub actions the ability to bypass branch protections rules using the built-in token. There's been a lot of discussion about it, the main threads being https://github.com/orgs/community/discussions/13836 and https://github.com/orgs/community/discussions/25305. It seems like the most robust way to do this would be by creating a new GitHub App, granting that app the ability to bypass branch protections, and using a token from that app to perform the required actions. The scenarios where we currently need to be able to bypass branch protection rules seem to be: We could have an app for each of these to limit the surface area for each permission, if we wanted to - though IMO that's overkill, and having a single app for all of these should be fine. Note that creating a tag for Similarly, on push the CI workflow will be triggered, so we'd want to remove our workaround that manually triggers the CI workflow after merge-ups, to avoid double-ups. There's no risk of infinite loops in this case because merge-ups isn't triggered in any way by the CI workflow. |
To clarify what I mean about removing overrides: Right now, we have some GitHub actions that push a tag, or push code commits. If we do what I've suggested in the comment above and use a different token for pushing those commits, that token will not be associated with GitHub Actions, so it will naturally trigger the ci.yml workflow. In that case we won't want to also manually dispatch ci.yml from within gha-merge-up. |
If we were to do what's proposed, I think we would still need to manually dispatch. I believe the workaround was in place not because of token limitations, instead because one github workflow will not trigger a subsequent workflow via the 'push' event in order to prevent infinite loops. We work around that by curling the GitHub API to trigger it via the 'workflow_dispatch' trigger |
That's true, but based on the conversations I've seen with people doing what I've proposed, that's based on the token. It doesn't trigger subsequent workflows because the token used to perform the push belongs to GitHub Actions. |
Yeah I guess it would just double trigger which shouldn't cause any issues Seems like the github app a.k.a the permission holder is the correct way to go about implementing this |
I realised that this isn't viable - adding the app to the organisation would mean anyone with write access to any repo in this org would be able to use the app (and its permissions) to affect repos they shouldn't be allowed to affect. Chatted with Steve offline - for now we'll proceed with the branch protection rules as they currently are. This means we will still be a bottleneck for merging community PRs, but we can invite community members to explicitly review pull requests. Once the PRs are reviewed, they can then escalate to us to have a last look and click merge. This is a stepping stone in the right direction, if nothing else. I'll raise a card to update the docs to reflect the new position. |
For future reference a new option has emerged: https://github.com/orgs/community/discussions/25305#discussioncomment-10728028 |
The tag ruleset create restriction was removed in #259 so that gha-tag-release could function and automatically tag patch releases as part of gha-ci
Other rules were also causing problems:
v1
tag in order to recreate it #267Investigate if it's possible to reimplement that restriction by somehow adding bypass permisions (repository admin) to the github-actions user. Or alternatively find another method.
Acceptance criteria
The text was updated successfully, but these errors were encountered: