Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ossf scorecard: Branch-Protection #660

Closed
pjbgf opened this issue Nov 10, 2021 · 10 comments · Fixed by kubernetes/test-infra#24517
Closed

ossf scorecard: Branch-Protection #660

pjbgf opened this issue Nov 10, 2021 · 10 comments · Fixed by kubernetes/test-infra#24517
Labels
area/security Issues or PRs related to security aspects of the operator kind/feature Categorizes issue or PR as related to a new feature.

Comments

@pjbgf
Copy link
Member

pjbgf commented Nov 10, 2021
edited
Loading

Description:

This issue is to drive discussion around the ossf scorecard results for the Branch-Protection section. This is part of improving the project's security posture #653.

The Branch-Protection section of the ossf scorecard highlights the hardening recommendations for GitHub branches. Some of them may conflict with parts of our CI/CD automation, which may mean we won't be able to mitigate.

Result: branch protection is not maximal on development and all release branches
Details:

    • Linear history disabled on branch 'main'
    • Status checks for merging disabled on branch 'main'
    • Stale review dismissal disabled on branch 'main'
    • Number of required reviewers is only 0 on branch 'main'
    • Owner review not required on branch 'main'
    • 'administrator' PRs are exempt from reviews on branch 'main'
@pjbgf pjbgf added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 10, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Nov 10, 2021

@saschagrunert here's my views/questions on the 6 points:

  1. I can't think of any issues enabling linear history for the master branch. What do you think?
  2. This is a false positive, as status checks are enabled for master. No action required here.
  3. The state dismissal can be a problem for us whilst we have some long running/flake tests. I think we could keep as is and review it after further improvements on test suite.
  4. / 5. / 6. This may be due to the fact that "Include Administrators" is disabled - probably the same is for number 2. Do you think doing the below may break our merge automation?
    • Enable Include Administrators
    • Enable Require a pull request before merging
    • Add k8s-ci-robot to Restrict who can push to matching branches

@pjbgf pjbgf added the area/security Issues or PRs related to security aspects of the operator label Nov 10, 2021
@saschagrunert
Copy link
Member

saschagrunert commented Nov 10, 2021
edited
Loading

  1. I can't think of any issues enabling linear history for the master branch. What do you think?

We already have it enabled, right? :)

  1. This is a false positive, as status checks are enabled for master. No action required here.

Agree 👍

  1. The state dismissal can be a problem for us whilst we have some long running/flake tests. I think we could keep as is and review it after further improvements on test suite.

About which kind of dismissal are we speaking about here? Something like the integration of a stale bot?

Edit: Ah the review dismissal. I'm not sure if the bot removes the lgtm / approve labels when the review gets dismissed.

  1. / 5. / 6. This may be due to the fact that "Include Administrators" is disabled - probably the same is for number 2. Do you think doing the below may break our merge automation?

    • Enable Include Administrators
    • Enable Require a pull request before merging
    • Add k8s-ci-robot to Restrict who can push to matching branches

We could give it a try! :)

@saschagrunert
Copy link
Member

@pjbgf changed the branch protection rule for master, let's see what it breaks.

@pjbgf
Copy link
Member Author

pjbgf commented Nov 11, 2021

@saschagrunert nice one, let's hope it all works out.

By the way, the linear history for master branch still shows as disabled for me:
image

So we are probably not refering to the same thing. :)

@jhrozek
Copy link
Contributor

jhrozek commented Nov 11, 2021 via email

@saschagrunert
Copy link
Member

@pjbgf I changed it to require a linear history.

It looks like that the other options from the branch protection were gone, so I hope that there is nothing like a nightly sync which enforces a certain branch protection ruleset within this org.

@pjbgf pjbgf mentioned this issue Dec 1, 2021
Merged
@pjbgf pjbgf reopened this Dec 1, 2021
@pjbgf
Copy link
Member Author

pjbgf commented Dec 1, 2021
edited
Loading

Will keep open until the desired state can be manually confirmed.

@pjbgf
Copy link
Member Author

pjbgf commented Dec 1, 2021

But we don't have those horrible merge commits that GH uses by default for whatever silly reason. Isn't that it?

@jhrozek sorry missed your message here. But I also did not understand exactly what do you mean here, can you clarify please?

@pjbgf
Copy link
Member Author

pjbgf commented Dec 1, 2021

After a delay the changes were applied:

image

image

Let's keep an eye in the comming days as to the impact this may have.
Closing it for the time being.

@pjbgf pjbgf closed this as completed Dec 1, 2021
@pjbgf pjbgf mentioned this issue Dec 1, 2021
Closed
10 tasks
@jhrozek
Copy link
Contributor

jhrozek commented Dec 1, 2021

But we don't have those horrible merge commits that GH uses by default for whatever silly reason. Isn't that it?

@jhrozek sorry missed your message here. But I also did not understand exactly what do you mean here, can you clarify please?

No problem, I probably meant something else than you, Sascha and the scorecard meant. I thought we already did have linear history because I don't see merge commits in SPO like I see e.g. in selinuxd (https://github.com/containers/selinuxd/commits/main)

@pjbgf pjbgf mentioned this issue Dec 5, 2021
Merged
@palnabarun palnabarun mentioned this issue Dec 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Issues or PRs related to security aspects of the operator kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update repo settings for security-profiles-operator
3 participants
@saschagrunert @jhrozek @pjbgf