Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider managing repo settings via GitHub's probot app #2

Open
wants to merge 1 commit into
base: monorepo
Choose a base branch
from
Open

Consider managing repo settings via GitHub's probot app #2

wants to merge 1 commit into from

Conversation

patcon
Copy link
Member

@patcon patcon commented Apr 9, 2020
edited
Loading

GitHub has an app that we can auth on the repo and use to manage/sync repo settings through the PR process, just like we would with any code change. Can be nice way to change things using the same process everyone already understands: labels, branch protection, repo description, topics, collaborators, etc

App: https://github.com/apps/settings
Code: https://github.com/probot/settings

This just imports current settings into a config file, and doesn't change anything.

I'm mainly intending this as a check-in on whether this app would suit upstream pol-is org. I'm not intending this yet as a place to change settings, though that's certainly something to do later.

cc: @colinmegill @metasoarous

To Do

@patcon patcon requested a review from crkrenn April 9, 2020 19:29
@patcon patcon self-assigned this Apr 9, 2020
@patcon patcon changed the title Consider managing settings via GitHub's probot app Consider managing repo settings via GitHub's probot app Apr 9, 2020
@patcon
Copy link
Member Author

patcon commented Apr 9, 2020

Also, no urgency on this

crkrenn
crkrenn approved these changes Apr 10, 2020
View reviewed changes
Copy link

@crkrenn crkrenn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on consideration. neutral on implementation now.

This seems reasonable. And because of the warning below, there is a tension between making management easier using probot with a core set of fully trusted maintainers and making management easier by giving a larger group of maintainers limited push access. That's not my call.

Best of both worlds would be to follow the repo and implement when the team limitations are implemented.

WARNING: Note that this integration inherently escalates anyone with push permissions to the admin role, since they can push config settings to the master branch, which will be synced. In the future, we may add restrictions to allow changes to the config file to be merged only by specific people/teams, or those with admin access (via a combination of protected branches, required statuses, and branch restrictions). Until then, use caution when merging PRs and adding collaborators.

@patcon
Copy link
Member Author

patcon commented Apr 10, 2020
edited
Loading

Thanks chris!

WARNING: Note that this integration inherently escalates anyone with push permissions to

Note that turning on "branch protection" addresses this vulnerability -- can set repo so pushers can't change master without going through PR with review& approval from others. Without that precaution, the escalation of push to admin does happen.

I'll give upstream maintainers a chance to weigh in.

EDIT: What we could add for branch protection:

branches:
  - name: monorepo
    protection:
      required_pull_request_reviews:
        required_approving_review_count: 1
        dismiss_stale_reviews: false
        dismissal_restrictions: {}
      required_status_checks: null
      enforce_admins: true
      restrictions: null

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crkrenn crkrenn crkrenn approved these changes

Assignees

@patcon patcon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@patcon @crkrenn