community
community copied to clipboard
Add `github-actions[bot]` to EasyCLA allowlist
Similar to https://github.com/open-telemetry/community/issues/306 which was resolved by @lizthegrey making a request to the CNCF: https://jira.linuxfoundation.org/servicedesk/customer/portal/4/SUPPORT-1388
I would make a similar request myself (as a member of the GC) but I'm honestly not sure if I have the authority to do so without official approval of the GC or TC.
Example PR with failing CLA https://github.com/open-telemetry/opentelemetry-js/pull/2409
@open-telemetry/governance-committee can we get a vote please?
that's certainly unanimous. submitting ticket. https://jira.linuxfoundation.org/plugins/servlet/theme/portal/4/SUPPORT-6356
Is there any update on this?
EasyCLA ticket marked as work in progress
Should I be worried the CNCF might deny this request? I hadn't expected it to take more than a week after the ticket was created in their system.
No, they just have never had a request for github-actions[bot] to be exempted whereas they have had dependabot added before.
here's the answer as to why this is complex:
Typically when we approve a bot under EasyCLA, we are able to use the bot name and github id as the identifier to approve on a per cla group basis, because the bots approved have a predefined scope of actions. The issue is that if we approve this set of actions for your repo, then that would potentially approve any set of actions created for any repos under the CNCF cla group. We are currently working through how we can do this for you, but if you have any suggestions, please feel free to make them!
It might turn out not to matter. The branch protection rules added automatically by CNCF are actually blocking this and other use-cases. Unless we can get that resolved, we will have to figure out some workaround to create releases on a fork or something anyway.
I can disable the branch protection rule enforcement.
@lizthegrey any update on this?
The issue is that if we approve this set of actions for your repo, then that would potentially approve any set of actions created for any repos under the CNCF cla group.
To address this concern, is it an option to create our own bot account(s), scoped either to opentelemetry, or even to a specific opentelemetry repository?
Yes, that would be better, then CNCF could approve that specific bot.
So the workaround is to register a user in github, give that user permission, and generate a token to perform actions on behalf of that user. CNCF can then allowlist the user as a bot user.