installer icon indicating copy to clipboard operation
installer copied to clipboard

Published 20 hours ago verified publisher icon mondoohq

Can't use branch protections when Actions make commits

Open benr opened this issue 2 years ago • 3 comments

Branch protections on main to enforce reviews, signing, etc, prevent Actions from making commits themselves. Example: https://github.com/mondoohq/installer/actions/runs/5672631904/job/15372275772#step:3:72

benr avatar Jul 26 '23 20:07 benr

See some threads on the topic:

  • https://github.com/orgs/community/discussions/25305
  • https://github.com/orgs/community/discussions/13836

There are a couple of possible solutions.

benr avatar Jul 26 '23 20:07 benr

These are the following cases in which Actions commit back to the repo:

  1. PowerShell Signing
  2. VERSION file update

For PowerShell, one option is to remove the signatures from the script and only add the signed scripts to a release. This would mean some pain for anyone with automation currently expecting them in main.

For VERSION, the only place it is actively used is in the Makefile. This should be changed to use the release version instead, ie: $(curl -s https://api.github.com/repos/mondoohq/installer/releases/latest | jq -r '.tag_name' | tr -d v)

benr avatar Oct 23 '23 21:10 benr

https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/ requires Enterprise :(

Even making mondoo-tools an admin user didn't allow it to bypass protection rules. :(

benr avatar Oct 23 '23 22:10 benr