Skip to content

Commit

Permalink
root-signing: Prepare for tuf-on-ci migration (#451)
Browse files Browse the repository at this point in the history 
* root-signing: Prepare for tuf-on-ci migration

As part of sigstore/root-signing#1247
root-signing requires some project setting changes:
* Allow and encourage merge commits: signing event branches are
  collaboration branches where individual commits have different
  authors and actual meaning.
* Do not require linear history: signing events make sense as slightly
  longer lived branches: preserving this history make sense
* Remove two required checks that are replaced by tuf-on-ci checks
  (which can be made required in a later commit)
* Add branch protection for "publish"
* Modify branch protection for "main":
  * Remove sigstore-keyholders from pushRestrictions list: this looks
    like a mistake, keyholders should not have permissions for main
  * Add sigstore-bot as a PR bypasser (this is how online signing
    happens)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

* root-signing: Also remove dismissal permissions from keyholders

It looks like the team may not even be needed in the end so make sense
to remove this fairly inconsequential permission as well.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

---------

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
  • Loading branch information
@jku
jku authored Jun 20, 2024
1 parent 2968324 commit 7bcd31b
Showing 1 changed file with 24 additions and 9 deletions.
33 changes: 24 additions & 9 deletions github-sync/github-data/sigstore/repositories.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1396,13 +1396,13 @@ repositories:
webCommitSignoffRequired: true
- name: root-signing
owner: sigstore
description: ""
description: "TUF repository for Sigstore trust root"
homepageUrl: ""
defaultBranch: main
allowAutoMerge: true
allowMergeCommit: false
allowRebaseMerge: true
allowSquashMerge: true
allowMergeCommit: true
allowRebaseMerge: false
allowSquashMerge: false
archived: false
autoInit: false
deleteBranchOnMerge: true
Expand Down Expand Up @@ -1437,7 +1437,7 @@ repositories:
enforceAdmins: true
allowsDeletions: false
allowsForcePushes: false
requiredLinearHistory: true
requiredLinearHistory: false
dismissStaleReviews: true
requiredApprovingReviewCount: 1
requireLastPushApproval: true
Expand All @@ -1447,16 +1447,31 @@ repositories:
- yamllint
- test
- lint
- validate
- client
pushRestrictions:
- tuf-root-signing-codeowners
- sigstore-keyholders
- sigstore-bot
- sigstore-review-bot
dismissalRestrictions:
- tuf-root-signing-codeowners
- sigstore-keyholders
pullRequestBypassers:
- sigstore-bot
- pattern: publish
enforceAdmins: true
allowsDeletions: false
allowsForcePushes: false
requiredLinearHistory: false
dismissStaleReviews: true
requiredApprovingReviewCount: 1
requireLastPushApproval: true
restrictDismissals: true
pushRestrictions:
- tuf-root-signing-codeowners
- sigstore-bot
- sigstore-review-bot
dismissalRestrictions:
- tuf-root-signing-codeowners
pullRequestBypassers:
- sigstore-bot
- pattern: test-ceremony/*
enforceAdmins: true
allowsDeletions: false
Expand Down

0 comments on commit 7bcd31b

Please sign in to comment.