Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new project root-signing-staging #351

Merged
merged 1 commit into from
Oct 25, 2023
Merged

Add a new project root-signing-staging #351

merged 1 commit into from
Oct 25, 2023
+61 −0

Conversation

jku
Copy link
Member

@jku jku commented Oct 17, 2023

Summary

Add new repository root-signing-staging, see #345 for details.

Fixes #345 (although further tweaks may be required: we'll see how the bot permissions match what tuf-on-ci expects, and what is needed to configure Pages publishing from GH actions).

@jku
Add a new project root-signing-staging
3c29298 
Fixes sigstore#345 (although further tweaks may be required: we'll see how the
bot permissions match what tuf-on-ci expects, and what is needed to
configure Pages publishing from GH actions).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@github-actions
Copy link

🍹 preview on sigstore-github-sync/sigstore/github-prod

Pulumi report 
Previewing update (sigstore/github-prod)

View Live: https://app.pulumi.com/sigstore/sigstore-github-sync/github-prod/previews/b4d8c529-8656-4388-bf75-36fd84f94e70

@ Previewing update......
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:github-prod::sigstore-github-sync::pulumi:pulumi:Stack::sigstore-github-sync-github-prod]
@ Previewing update....
+ github:index/repository:Repository: (create) 🔒
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repository:Repository::root-signing-staging]
    allowAutoMerge          : false
    allowMergeCommit        : true
    allowRebaseMerge        : false
    allowSquashMerge        : false
    archived                : false
    autoInit                : false
    deleteBranchOnMerge     : false
    description             : "Staging TUF repository for Sigstore trust root"
    hasDiscussions          : false
    hasDownloads            : false
    hasIssues               : true
    hasProjects             : false
    hasWiki                 : false
    homepageUrl             : ""
    isTemplate              : false
    licenseTemplate         : ""
    mergeCommitMessage      : "PR_TITLE"
    mergeCommitTitle        : "MERGE_MESSAGE"
    name                    : "root-signing-staging"
    squashMergeCommitMessage: "COMMIT_MESSAGES"
    squashMergeCommitTitle  : "COMMIT_OR_PR_TITLE"
    topics                  : []
    visibility              : "public"
    vulnerabilityAlerts     : true
+ github:index/branchDefault:BranchDefault: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchDefault:BranchDefault::root-signing-staging]
    branch    : "main"
    rename    : false
    repository: "root-signing-staging"
+ github:index/branchProtection:BranchProtection: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-main]
    allowsDeletions              : false
    allowsForcePushes            : false
    blocksCreations              : false
    enforceAdmins                : true
    lockBranch                   : false
    pattern                      : "main"
    pushRestrictions             : [
        [0]: "T_kwDOBDzYIc4AhiMd"
        [1]: "MDQ6VXNlcjg2ODM3MzY5"
    ]
    repositoryId                 : output<string>
    requireConversationResolution: false
    requireSignedCommits         : false
    requiredLinearHistory        : true
    requiredPullRequestReviews   : [
        [0]: {
            dismissStaleReviews         : true
            dismissalRestrictions       : [
                [0]: "T_kwDOBDzYIc4AhiMd"
            ]
            requireCodeOwnerReviews     : false
            requireLastPushApproval     : true
            requiredApprovingReviewCount: 1
            restrictDismissals          : true
        }
    ]
    requiredStatusChecks         : [
        [0]: {
            contexts  : []
            strict    : false
        }
    ]
+ github:index/repositoryCollaborator:RepositoryCollaborator: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::root-signing-staging-sigstore-review-bot]
    permission               : "push"
    permissionDiffSuppression: false
    repository               : "root-signing-staging"
    username                 : "sigstore-review-bot"
+ github:index/repositoryCollaborator:RepositoryCollaborator: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/repositoryCollaborator:RepositoryCollaborator::root-signing-staging-sigstore-bot]
    permission               : "push"
    permissionDiffSuppression: false
    repository               : "root-signing-staging"
    username                 : "sigstore-bot"
+ github:index/teamRepository:TeamRepository: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::root-signing-staging-tuf-root-signing-staging-codeowners]
    permission: "maintain"
    repository: "root-signing-staging"
    teamId    : "8790813"
+ github:index/teamRepository:TeamRepository: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::root-signing-staging-triage]
    permission: "triage"
    repository: "root-signing-staging"
    teamId    : "5643322"
+ github:index/teamRepository:TeamRepository: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/teamRepository:TeamRepository::root-signing-staging-sigstore-oncall]
    permission: "push"
    repository: "root-signing-staging"
    teamId    : "6693572"
+ github:index/branchProtection:BranchProtection: (create)
    [urn=urn:pulumi:github-prod::sigstore-github-sync::github:index/branchProtection:BranchProtection::root-signing-staging-publish]
    allowsDeletions              : false
    allowsForcePushes            : false
    blocksCreations              : false
    enforceAdmins                : true
    lockBranch                   : false
    pattern                      : "publish"
    pushRestrictions             : [
        [0]: "MDQ6VXNlcjg2ODM3MzY5"
    ]
    repositoryId                 : output<string>
    requireConversationResolution: false
    requireSignedCommits         : false
    requiredLinearHistory        : true
    requiredPullRequestReviews   : [
        [0]: {
            dismissStaleReviews         : true
            dismissalRestrictions       : []
            requireCodeOwnerReviews     : false
            requireLastPushApproval     : true
            requiredApprovingReviewCount: 1
            restrictDismissals          : true
        }
    ]
    requiredStatusChecks         : [
        [0]: {
            contexts  : []
            strict    : false
        }
    ]
@ Previewing update....
Resources:
+ 9 to create
570 unchanged

@jku jku mentioned this pull request Oct 17, 2023
Closed
haydentherapper
haydentherapper reviewed Oct 18, 2023
View reviewed changes
github-sync/github-data/sigstore/repositories.yaml
allowAutoMerge: false
allowMergeCommit: true
allowRebaseMerge: false
allowSquashMerge: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to allow squash merges? I typically disable merge commits to keep the history clean, allow squash, and allow auto merge.

Copy link
Member Author

@jku jku Oct 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not 100% sure but I don't think I do...commits in signing event PRs are meaningful as they come from multiple sources(different signers, repository workflow, etc). Squashing them would look confusing IMO

github-sync/github-data/sigstore/repositories.yaml
allowSquashMerge: false
archived: false
autoInit: false
deleteBranchOnMerge: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does automation need a static branch, or does it create new branches frequently? Might want this on.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that frequently, but a branch per signing event. I would maybe rather start with not deleting branches for easier forensics

@jku
Copy link
Member Author

jku commented Oct 25, 2023

Gentle ping on this one. Like I said I'm not 100% confident this configuration is exactly correct but it's as close as I can get it: I believe we need to try and see how it goes. If you have questions, let me know.

cc @cpanato who seems to do a lot around here or I guess the tsc folks @bobcallaway @trevrosen @lukehinds @priyawadhwa @SantiagoTorres ?

@trevrosen
Copy link
Contributor

Yeah this looks fine, let's give it a shot and iterate as we need to.

@haydentherapper
Copy link
Contributor

Can a TSC member merge this?

@priyawadhwa priyawadhwa merged commit 0d7cb9c into sigstore:main Oct 25, 2023
@jku jku mentioned this pull request Oct 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@bobcallaway bobcallaway bobcallaway approved these changes

@trevrosen trevrosen trevrosen approved these changes

@priyawadhwa priyawadhwa Awaiting requested review from priyawadhwa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

New project root-signing-staging
5 participants
@jku @trevrosen @haydentherapper @bobcallaway @priyawadhwa