Conversation
|
@jentfoo @reedloden A side effect of this change would be that the original PR creator could technically approve their own backport PR because it will be opened by the bot account. We would still require the 2nd approval. Just want to make sure it's fine from the compliance perspective like SOC2, etc. |
|
@r0mant, brainstorming, what if we protected the automatic backport branches so that custom changes can't be pushed to them? If that's reasonable then I don't think there is any concerns, since we have control over what content can be in the PR. |
|
@jentfoo Yeah, we can create a branch protection rule that will require a pull request to merge to |
|
@jentfoo Before I do it though: do we have to do it? I.e. my question was, will we actually violate any compliance provisions if we don't protect backport branches? Just trying to not introduce any extra barriers for the team unless really necessary. |
|
From a purely compliance standpoint, as long as we have at least one peer review (as in, review from an authorized non-bot approver who is not the code author), we're fine. The two separate reviews is a goal, but not a hard requirement. From a security standpoint, adding branch protections is the right call. Lack of branch protections has bitten us in the past, and I'm concerned what would happen if a non-bot user pushed branches that matched the same pattern. How does the bot handle it if a branch already exists? What if somebody changes the underlying branch contents (at any time during the process)? As such, I'd prefer we add branch protections, as these are special branches and should be treated as such. |
|
@reedloden If non-bot user pushes |
3 participants
2 changes to the backport bot: