Skip to content

Instantly share code, notes, and snippets.

@lucasgonze

lucasgonze/agenda.md Secret

Last active April 17, 2023 16:29
Show Gist options
  • Save lucasgonze/39beddb57eba6ac8a98fba1c508f6fea to your computer and use it in GitHub Desktop.
Save lucasgonze/39beddb57eba6ac8a98fba1c508f6fea to your computer and use it in GitHub Desktop.
Download ZIP
TSC Agenda Items 4/17/23
Raw
agenda.md

Branch Protection

Branch protection issues with our branch protection settings for master and all 1.x branches except 1.8:

  • settings do not apply to administrators on branch
  • status checks do not require up-to-date branches
  • 'last push approval' disabled
  • number of required reviewers is only 1
  • stale review dismissal disabled

For 1.x branches only, not master or 1.8, there is also this problem:

  • 'force pushes' enabled on branch 'v1.2'

URLs for fixing:

Fixes:

  • enable "Do not allow bypassing the above settings The above settings will apply to administrators and custom roles with the "bypass branch protections" permission. "
  • enable "Require branches to be up to date before merging"
  • enable "Require approval of the most recent reviewable push"
  • (Note that I'm not suggesting setting "Required number of approvals before merging" to 2, because that bureaucracy wouldn't be a good thing).
  • Enable "Dismiss stale pull request approvals when new commits are pushed"
  • Disable "Allow force pushes"

OpenSSF Membership

I propose that Magma should join the Open Source Security Foundation.

  • Easy
  • Free to non-profits
  • Gets our logo on the home page
  • Communicates that Magma cares about security

Need to confirm:

  • Auth. Signatory contact: Will sign the agreement.
  • Primary contact: For all notices, including voting.
  • Billing contact: All invoices will be sent to this e-mail address unless the Member directs otherwise.
  • Legal contact: This contact should be your primary in-house attorney for open source matters with respect to the Project. If you do not have in-house counsel, please leave this blank.
  • PR contact: For approving press releases or quotes with respect to the Project.

Engineering Question: Debugging Workflows

The OpenSSF Scorecards work has an item that would ideally by fixed by doing some iterative work that would break the build as I was going along. I would need to set GITHUB_TOKEN permissions to read-only, run a test build, then re-enable writes on a job by job basis.

How do we work on the workflow files? Is there a sandbox?

@lucasgonze
Copy link
Author

Conversation notes:

  • Branch protection items were discussed one-by-one, with consensus recorded for each item using a checkbox in the scorecard ticket
  • Joining OpenSSF had strong consensus
  • For the workflow conversation it was suggested (I think by Yogesh) that Lucas should post to the devops channel in Slack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment