tac icon indicating copy to clipboard operation
tac copied to clipboard

Published 20 hours ago verified publisher icon ossf

Migrate from branch protection to rulesets?

Open marcelamelara opened this issue 1 year ago • 5 comments

We're currently using branch protection settings for PRs, but we could also consider migrating from branch protection to rulesets (https://github.com/ossf/tac/settings/rules).

Originally posted by @steiza in https://github.com/ossf/tac/pull/252#pullrequestreview-1844136802

marcelamelara avatar Feb 05 '24 18:02 marcelamelara

I may have been too hasty! At some point in the future, GitHub should have a "click here to move your branch protection settings to rulesets" button. Unless someone wants to pick this up sooner than later, I think it'll be less work if we wait for the button.

steiza avatar Feb 20 '24 14:02 steiza

I like the EASY button

Cheers,

CRob Director of Security Communications Intel Product Assurance and Security

Book time with Robinson, Christopher @.***?anonymous&ep=pcard>

From: Zach Steindler @.> Sent: Tuesday, February 20, 2024 9:56 AM To: ossf/tac @.> Cc: Subscribed @.***> Subject: Re: [ossf/tac] Migrate from branch protection to rulesets? (Issue #255)

I may have been too hasty! At some point in the future, GitHub should have a "click here to move your branch protection settings to rulesets" button. Unless someone wants to pick this up sooner than later, I think it'll be less work if we wait for the button.

— Reply to this email directly, view it on GitHubhttps://github.com/ossf/tac/issues/255#issuecomment-1954393865, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AQRFDLGW3VLBJA7NXKZBK4LYUS2QNAVCNFSM6AAAAABC2VMQROVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUGM4TGOBWGU. You are receiving this because you are subscribed to this thread.Message ID: @.@.>>

SecurityCRob avatar Feb 20 '24 15:02 SecurityCRob

Is this a duplicate of 333 and can be closed out in this issue?

sevansdell avatar Jun 07 '24 00:06 sevansdell

One problem is that branch protection is easily verified, and Scorecard does this. Rulesets aren't. I didn't see an argument for the switch - why should we switch?

david-a-wheeler avatar Aug 20 '24 15:08 david-a-wheeler

Notes from TAC call where this was discussed:

  • Marcela, Mike and Crob will work this asynchronous
  • David: tools may need updated to reflect rulesets and branch protection. Currently, scorecard only recognizes branch protection, as an example
  • Mike: Sometimes, rulesets applied at the company level aren’t easily visible on projects via API. He’s dealing with this at his own company.

sevansdell avatar Aug 20 '24 15:08 sevansdell

@marcelamelara , @mlieberman85 and @SecurityCRob status update please!

sevansdell avatar Oct 15 '24 23:10 sevansdell

Thanks for the ping Sarah! This completely fell off my radar.

FWIW, here is the discussion on the rulesets vs branch protection: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches

We may ultimately decide to shelf this and keep things as they are. But I think we have an opportunity here to revisit this and align with the security baseline as well. @SecurityCRob and @mlieberman85 wdyt?

marcelamelara avatar Oct 22 '24 23:10 marcelamelara

I think either or is easy. I think setting up rulesets is most powerful at the org level though. Given that our stuff is fairly straight forward as far as branches go, I don't think we would have much benefit here over normal branch protection.

mlieberman85 avatar Oct 23 '24 05:10 mlieberman85

I think setting up rulesets is most powerful at the org level though

Maybe this is something we can follow up on with @SecurityCRob then.

Barring any objections. I'm going to close this issue by EOW.

marcelamelara avatar Oct 23 '24 21:10 marcelamelara

For what it's worth, I'm no expert in the matter so I may be missing something here but, I'm not convinced we really have a problem that needs fixing. I support closing this as is.

lehors avatar Oct 24 '24 05:10 lehors

It's up to the TAC, but I recommend for now sticking with branch protection.

I don't see any concrete benefits. Rulesets are potentially more flexible, but I haven't seen any example of how that flexibility would benefit OpenSSF. "More complicated but more flexible" is only a good idea if you have good reason to believe you'll use the flexibility. Someone else may see a specific example. I would be delighted to learn of one, of course!

Rulesets have drawbacks. In particular, Scorecard can easily detect the use of branch protection today, making it clear we do it. Scorecard cannot detect equivalent use of rulesets - so it would look like we're doing worse in Scorecard, and we couldn't easily verify with Scorecard that we were doing the right thing. I'm not even sure we can modify Scorecard to also detect this use of Rulesets. So something that makes us look worse - and is harder to verify with an independent tool we use - seems like a drawback. Maybe we should at least implement this in Scorecard (if we can) first?

Again, though, I think this is a TAC decision.

david-a-wheeler avatar Oct 24 '24 15:10 david-a-wheeler

There's no urgent need for us to move off of branch protection - I'm fine with us closing out this issue.

steiza avatar Oct 24 '24 18:10 steiza

Thank you everyone for your feedback!

marcelamelara avatar Oct 25 '24 15:10 marcelamelara