community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Add `github-actions[bot]` to EasyCLA allowlist

Open dyladan opened this issue 2 years ago • 13 comments

Similar to https://github.com/open-telemetry/community/issues/306 which was resolved by @lizthegrey making a request to the CNCF: https://jira.linuxfoundation.org/servicedesk/customer/portal/4/SUPPORT-1388

I would make a similar request myself (as a member of the GC) but I'm honestly not sure if I have the authority to do so without official approval of the GC or TC.

Example PR with failing CLA https://github.com/open-telemetry/opentelemetry-js/pull/2409

dyladan avatar Aug 11 '21 18:08 dyladan

@open-telemetry/governance-committee can we get a vote please?

lizthegrey avatar Aug 16 '21 15:08 lizthegrey

that's certainly unanimous. submitting ticket. https://jira.linuxfoundation.org/plugins/servlet/theme/portal/4/SUPPORT-6356

lizthegrey avatar Aug 16 '21 17:08 lizthegrey

Is there any update on this?

dyladan avatar Aug 23 '21 15:08 dyladan

EasyCLA ticket marked as work in progress

lizthegrey avatar Aug 23 '21 15:08 lizthegrey

Should I be worried the CNCF might deny this request? I hadn't expected it to take more than a week after the ticket was created in their system.

dyladan avatar Aug 24 '21 19:08 dyladan

No, they just have never had a request for github-actions[bot] to be exempted whereas they have had dependabot added before.

lizthegrey avatar Aug 25 '21 15:08 lizthegrey

here's the answer as to why this is complex:

Typically when we approve a bot under EasyCLA, we are able to use the bot name and github id as the identifier to approve on a per cla group basis, because the bots approved have a predefined scope of actions. The issue is that if we approve this set of actions for your repo, then that would potentially approve any set of actions created for any repos under the CNCF cla group. We are currently working through how we can do this for you, but if you have any suggestions, please feel free to make them!

lizthegrey avatar Aug 25 '21 20:08 lizthegrey

It might turn out not to matter. The branch protection rules added automatically by CNCF are actually blocking this and other use-cases. Unless we can get that resolved, we will have to figure out some workaround to create releases on a fork or something anyway.

dyladan avatar Aug 26 '21 21:08 dyladan

I can disable the branch protection rule enforcement.

lizthegrey avatar Aug 26 '21 21:08 lizthegrey

@lizthegrey any update on this?

bogdandrutu avatar Jan 05 '22 19:01 bogdandrutu

The issue is that if we approve this set of actions for your repo, then that would potentially approve any set of actions created for any repos under the CNCF cla group.

To address this concern, is it an option to create our own bot account(s), scoped either to opentelemetry, or even to a specific opentelemetry repository?

trask avatar Jan 18 '22 06:01 trask

Yes, that would be better, then CNCF could approve that specific bot.

lizthegrey avatar Jan 19 '22 03:01 lizthegrey

So the workaround is to register a user in github, give that user permission, and generate a token to perform actions on behalf of that user. CNCF can then allowlist the user as a bot user.

dyladan avatar Jan 19 '22 14:01 dyladan