fedramp-automation icon indicating copy to clipboard operation
fedramp-automation copied to clipboard
verified publisher icon GSA

Branch Protection Breaks Validaton, Conversion, and Publication Automation

Open ohsh6o opened this issue 4 years ago • 3 comments

Describe the bug

When enabling Github branch protection, this prevents the oscalbuilder automation user used by NIST and FedRAMP to automate validation and conversion of artifacts.

This is recommended for version control considerations with ATO in mind for GSA TTS ATO process (not specific to any sensitivity level), but will break our build process.

Who is the bug affecting?

FedRAMP CI/CD processes and organizational risk management and security engineering considerations.

What version of OSCAL are you using? (Check our info on supported OSCAL versions)

v1.0.0 pinned under current submodule.

What is affected by this bug?

FedRAMP Automation Team

When does this occur?

When FAT developers or 10x ASAP validation developers merge code, the subsequent automated artifact build will fail.

How do we replicate the issue?

  1. Merge any pull request to master.

Expected behavior (i.e. solution)

The automated oscalbuilder process through Github Actions will not be rejected by branch protections.

ohsh6o avatar Jul 02 '21 17:07 ohsh6o

Per conversation with Dave, perhaps consider converting to an automation user opening a PR and not just auto-committing if there is a concern with that kind of thing.

ohsh6o avatar Jul 07 '21 19:07 ohsh6o

Given discussion in GSA TTS Slack about prevailing guidance re this approach, move back until further examination of alternate auth schemes for the git commit action we use to push changes can be performed.

ohsh6o avatar Jul 28 '21 05:07 ohsh6o

Leaving open at this point until resolution in alignment with NIST CI/CD workflows.

volpet2014 avatar Mar 28 '23 18:03 volpet2014