Branch protection issues with our branch protection settings for master and all 1.x branches except 1.8:
- settings do not apply to administrators on branch
- status checks do not require up-to-date branches
- 'last push approval' disabled
- number of required reviewers is only 1
- stale review dismissal disabled
For 1.x branches only, not master or 1.8, there is also this problem:
- 'force pushes' enabled on branch 'v1.2'
URLs for fixing:
- master: https://github.com/magma/magma/settings/branch_protection_rules/4282167
- 1.x branches except 1.8: https://github.com/magma/magma/settings/branch_protection_rules/17476757
Fixes:
- enable "Do not allow bypassing the above settings The above settings will apply to administrators and custom roles with the "bypass branch protections" permission. "
- enable "Require branches to be up to date before merging"
- enable "Require approval of the most recent reviewable push"
- (Note that I'm not suggesting setting "Required number of approvals before merging" to 2, because that bureaucracy wouldn't be a good thing).
- Enable "Dismiss stale pull request approvals when new commits are pushed"
- Disable "Allow force pushes"
I propose that Magma should join the Open Source Security Foundation.
- Easy
- Free to non-profits
- Gets our logo on the home page
- Communicates that Magma cares about security
Need to confirm:
- Auth. Signatory contact: Will sign the agreement.
- Primary contact: For all notices, including voting.
- Billing contact: All invoices will be sent to this e-mail address unless the Member directs otherwise.
- Legal contact: This contact should be your primary in-house attorney for open source matters with respect to the Project. If you do not have in-house counsel, please leave this blank.
- PR contact: For approving press releases or quotes with respect to the Project.
The OpenSSF Scorecards work has an item that would ideally by fixed by doing some iterative work that would break the build as I was going along. I would need to set GITHUB_TOKEN permissions to read-only, run a test build, then re-enable writes on a job by job basis.
How do we work on the workflow files? Is there a sandbox?
Conversation notes: