You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to implement an InnerSource approach where any developer can send a pull request within the same repository, which requires the main branch to be appropriately protected. This means mitigating against the issues described in How to bypass GitHub’s Branch Protection which are not possible with GitHub organization rulesets alone, requiring the use of Policy Bot.
In particular, as the shared base rule, we would like to implement the most basic rules of requiring 1 approval for human-created pull requests and 2 approval for bot-created pull requests, and only approvals from humans, i.e. not GitHub Apps or machine accounts, should count. Some use cases which require additional features to be implemented will be described below in more details.
UserTypes: "User" and "Bot" same as that from the API (distinguished using the existence of the [bot] suffix). "User" are normal GitHub accounts, while "Bot" are GitHub Apps (including github-actions[bot]).
Not: to exclude a certain subset of users. This allows expressing blocklists in addition to the default policy-bot allowlists.
This allows us to express the idea of "humans" by "any one with UserTypes User and not specific users" like
We can also partially achieve this by having a specific team consisting of all humans; however, the above approach also has the crucial benefit of not having to make any GitHub API requests to check the membership status of GitHub teams.
We believe that this change is the minimum necessary to accomplish our goal.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
What we are trying to achieve
We would like to implement an InnerSource approach where any developer can send a pull request within the same repository, which requires the main branch to be appropriately protected. This means mitigating against the issues described in How to bypass GitHub’s Branch Protection which are not possible with GitHub organization rulesets alone, requiring the use of Policy Bot.
In particular, as the shared base rule, we would like to implement the most basic rules of requiring 1 approval for human-created pull requests and 2 approval for bot-created pull requests, and only approvals from humans, i.e. not GitHub Apps or machine accounts, should count. Some use cases which require additional features to be implemented will be described below in more details.
How we are currently achieving the goal
Corresponding code change: #974
We have added 2 features to Actor itself:
[bot]suffix). "User" are normal GitHub accounts, while "Bot" are GitHub Apps (includinggithub-actions[bot]).This allows us to express the idea of "humans" by "any one with UserTypes
Userand not specific users" likeOr, allow GitHub Apps in the organization to approve, but not GitHub Actions:
Or, to disallow all machine users except one specific machine account for the repository:
We can also partially achieve this by having a specific team consisting of all humans; however, the above approach also has the crucial benefit of not having to make any GitHub API requests to check the membership status of GitHub teams.
We believe that this change is the minimum necessary to accomplish our goal.
Beta Was this translation helpful? Give feedback.
All reactions