-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate from branch protection to rulesets? #255
Comments
I may have been too hasty! At some point in the future, GitHub should have a "click here to move your branch protection settings to rulesets" button. Unless someone wants to pick this up sooner than later, I think it'll be less work if we wait for the button. |
I like the EASY button
Cheers,
CRob
Director of Security Communications
Intel Product Assurance and Security
Book time with Robinson, Christopher ***@***.***?anonymous&ep=pcard>
From: Zach Steindler ***@***.***>
Sent: Tuesday, February 20, 2024 9:56 AM
To: ossf/tac ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [ossf/tac] Migrate from branch protection to rulesets? (Issue #255)
I may have been too hasty! At some point in the future, GitHub should have a "click here to move your branch protection settings to rulesets" button. Unless someone wants to pick this up sooner than later, I think it'll be less work if we wait for the button.
—
Reply to this email directly, view it on GitHub<#255 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AQRFDLGW3VLBJA7NXKZBK4LYUS2QNAVCNFSM6AAAAABC2VMQROVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUGM4TGOBWGU>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>
|
Is this a duplicate of 333 and can be closed out in this issue? |
One problem is that branch protection is easily verified, and Scorecard does this. Rulesets aren't. I didn't see an argument for the switch - why should we switch? |
Notes from TAC call where this was discussed:
|
@marcelamelara , @mlieberman85 and @SecurityCRob status update please! |
Thanks for the ping Sarah! This completely fell off my radar. FWIW, here is the discussion on the rulesets vs branch protection: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches We may ultimately decide to shelf this and keep things as they are. But I think we have an opportunity here to revisit this and align with the security baseline as well. @SecurityCRob and @mlieberman85 wdyt? |
I think either or is easy. I think setting up rulesets is most powerful at the org level though. Given that our stuff is fairly straight forward as far as branches go, I don't think we would have much benefit here over normal branch protection. |
Maybe this is something we can follow up on with @SecurityCRob then. Barring any objections. I'm going to close this issue by EOW. |
For what it's worth, I'm no expert in the matter so I may be missing something here but, I'm not convinced we really have a problem that needs fixing. I support closing this as is. |
It's up to the TAC, but I recommend for now sticking with branch protection. I don't see any concrete benefits. Rulesets are potentially more flexible, but I haven't seen any example of how that flexibility would benefit OpenSSF. "More complicated but more flexible" is only a good idea if you have good reason to believe you'll use the flexibility. Someone else may see a specific example. I would be delighted to learn of one, of course! Rulesets have drawbacks. In particular, Scorecard can easily detect the use of branch protection today, making it clear we do it. Scorecard cannot detect equivalent use of rulesets - so it would look like we're doing worse in Scorecard, and we couldn't easily verify with Scorecard that we were doing the right thing. I'm not even sure we can modify Scorecard to also detect this use of Rulesets. So something that makes us look worse - and is harder to verify with an independent tool we use - seems like a drawback. Maybe we should at least implement this in Scorecard (if we can) first? Again, though, I think this is a TAC decision. |
There's no urgent need for us to move off of branch protection - I'm fine with us closing out this issue. |
Thank you everyone for your feedback! |
We're currently using branch protection settings for PRs, but we could also consider migrating from branch protection to rulesets (https://github.com/ossf/tac/settings/rules).
Originally posted by @steiza in #252 (review)
The text was updated successfully, but these errors were encountered: