Comments (4)
* [ ] Consider adding branch protection rules
I was referring to the environment protections, not branch protection.
* [ ] Reconsider how dev builds are triggered from CI, splitting the it out in a separate pipeline instead of calling the workflow directly from `ci.yml`
I don't see a problem with this for as long as the job has a separate environment set.
from gitlint.
[ ] Ensure publishing secrets aren't available to CI jobs
Hey @jorisroovers, I'd like to invite you to join the private beta of secretless publishing from GHA to PyPI. Please, fill out this form https://forms.gle/XUsRT8KTKy66TuUp7 to get in.
from gitlint.
Note-to-self: This section in the OIDC docs has good suggestions on github action hardening:
https://github.com/pypi/warehouse/blob/ab05dd4c137eb57ff55794a659062f02b4c326bc/docs/user/trusted-publishers/security-model.md#considerations
from gitlint.
Just configured a few things:
- Tag protection Rule: on all tags (
*
). This effectively makes me the only one who can add or delete tags. - Branch Protections on
main
:- Require a pull request before merging:
- Require approvals: pull requests targeting
main
require 1 or more approvals and no changes requested before they can be merged. - Require approval of the most recent reviewable push: Whether the most recent reviewable push must be approved by someone other than the person who pushed it.
- Require approvals: pull requests targeting
- Require status checks to pass before merging: Certain status checks must pass before branches can be merged into
main
. I’ve added the Python 3.11tests
,sdist-build-smoke-test
,build-test
anddoc-checks
. - Require linear history: Prevent merge commits from being pushed to matching branches.
- Allow force pushes:
- Specify who can force push: @jorisroovers
- Require a pull request before merging:
- Environment Protection Rule:
- Deployment branches: Only
main
can deploy to theproduction
environment (i.e. PyPI).
- Deployment branches: Only
Notes
- As a repo admin I can override these rules. For example, I can still do direct (force) push to main. I don’t do this often, but it happens. I’ve just tried this in 53887bc.
- In general I’ve tried to strike a balance between increased security and usability. My main intent here is to (1) avoid accidental merges to main (2) avoid accidental releases. At the same time, I don’t want to create extra friction on a day-to-day basis so I might loosen things again if they turn out to be too cumbersome.
Next up are job permissions.
from gitlint.
Related Issues (20)
- Ability to have user-defined rules disabled by default HOT 2
- gitlint raises an exception if run without --staged and with an ignore-by-author-name configuration HOT 3
- Support for per-user configuration files and configuration inheritance HOT 9
- Ignore stdin by default in CI HOT 7
- Feature request: generate a junit or sarif report HOT 4
- Allow several --extra-path HOT 1
- v0.19.0dev tag should not be on the default branch HOT 7
- gitlint and gitlint-core v0.19.0 fail to build from sdist HOT 13
- 0.20.0 Release Plan
- Enable support for git archive installs HOT 7
- Consider adopting pypi-publish GHA instead of hatch publish
- Adopt GHA environments HOT 1
- Investigate smoke testing of sdist package for downstream packaging HOT 3
- Commit message with a hash sign at the start is not detected HOT 5
- Full workflow example for fixing a previously rejected commit message HOT 2
- installing hook on pre-commit fails with newest virtualenv (>20.24.5) present HOT 15
- Forever violations even after being edited HOT 2
- Poetry version solving failure
- Failed to install the `pre-commit` hook HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitlint.