-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release security improvements #894
Comments
Note that this is something I've not used myself so I don't know 100% how this works: I assume it only means the workflow ref needs to be part of the branch but the docs are not clear. |
There's indeed a few wrinkles here:
Alternative solution: Use release environment to ensure deployment review (deployment reviewers should make sure the code comes reviewed branches):
|
Final wrinkle: this is not available via Pulumi (so even if we added support for deployment environments to sigstore/github-sync, we could not set that boolean argument via Pulumi: this requires an actual admin fiddling with the repository settings) |
What a mess 🙂
This sounds good to me. For some reason I could have sworn we already had a release environment including mandatory sign-offs, but maybe it got reverted as part of a Pulumi refresh at some point. |
Update on GitHub environment situation: Pulumi now supports the no self-review option for environments PlanOur release environment should
Other changes:
I think that should do it? options for handling the environment setup
@haydentherapper I'm leaning towards manual config here: I can also spend some time on release environment support in github-sync if you think other sigstore projects will need it... |
We had thought about something similar in protobuf-specs, so we could reuse it there. If this is a significant amount of work though, just manually configuring it (with documentation ideally so we can replicate it) sounds good. |
PyPI releases currently happen based on GitHub release. GitHub releases can be made from unreviewed commits in unprotected branches by just a single maintainer (see #893).
A possible improvement is to use GitHub Environments to make sure deployment to PyPI is only possible from protected branches:
main
andseries/*
are all protected branches with required PRs and reviewsThis should make sure that releases cannot be made from code that has not been reviewed.
The text was updated successfully, but these errors were encountered: