Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate from branch protection to rulesets? #255

Closed
marcelamelara opened this issue Feb 5, 2024 · 13 comments
Closed

Migrate from branch protection to rulesets? #255

marcelamelara opened this issue Feb 5, 2024 · 13 comments
Labels

Comments

@marcelamelara
Copy link
Contributor

We're currently using branch protection settings for PRs, but we could also consider migrating from branch protection to rulesets (https://github.com/ossf/tac/settings/rules).

Originally posted by @steiza in #252 (review)

@steiza
Copy link
Member

steiza commented Feb 20, 2024

I may have been too hasty! At some point in the future, GitHub should have a "click here to move your branch protection settings to rulesets" button. Unless someone wants to pick this up sooner than later, I think it'll be less work if we wait for the button.

@SecurityCRob
Copy link
Contributor

SecurityCRob commented Feb 20, 2024 via email

@sevansdell
Copy link
Contributor

Is this a duplicate of 333 and can be closed out in this issue?

@david-a-wheeler
Copy link
Contributor

One problem is that branch protection is easily verified, and Scorecard does this. Rulesets aren't. I didn't see an argument for the switch - why should we switch?

@sevansdell
Copy link
Contributor

Notes from TAC call where this was discussed:

  • Marcela, Mike and Crob will work this asynchronous
  • David: tools may need updated to reflect rulesets and branch protection. Currently, scorecard only recognizes branch protection, as an example
  • Mike: Sometimes, rulesets applied at the company level aren’t easily visible on projects via API. He’s dealing with this at his own company.

@sevansdell
Copy link
Contributor

@marcelamelara , @mlieberman85 and @SecurityCRob status update please!

@marcelamelara
Copy link
Contributor Author

Thanks for the ping Sarah! This completely fell off my radar.

FWIW, here is the discussion on the rulesets vs branch protection: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#about-rulesets-and-protected-branches

We may ultimately decide to shelf this and keep things as they are. But I think we have an opportunity here to revisit this and align with the security baseline as well. @SecurityCRob and @mlieberman85 wdyt?

@mlieberman85
Copy link
Contributor

I think either or is easy. I think setting up rulesets is most powerful at the org level though. Given that our stuff is fairly straight forward as far as branches go, I don't think we would have much benefit here over normal branch protection.

@marcelamelara
Copy link
Contributor Author

I think setting up rulesets is most powerful at the org level though

Maybe this is something we can follow up on with @SecurityCRob then.

Barring any objections. I'm going to close this issue by EOW.

@lehors
Copy link
Contributor

lehors commented Oct 24, 2024

For what it's worth, I'm no expert in the matter so I may be missing something here but, I'm not convinced we really have a problem that needs fixing. I support closing this as is.

@david-a-wheeler
Copy link
Contributor

david-a-wheeler commented Oct 24, 2024

It's up to the TAC, but I recommend for now sticking with branch protection.

I don't see any concrete benefits. Rulesets are potentially more flexible, but I haven't seen any example of how that flexibility would benefit OpenSSF. "More complicated but more flexible" is only a good idea if you have good reason to believe you'll use the flexibility. Someone else may see a specific example. I would be delighted to learn of one, of course!

Rulesets have drawbacks. In particular, Scorecard can easily detect the use of branch protection today, making it clear we do it. Scorecard cannot detect equivalent use of rulesets - so it would look like we're doing worse in Scorecard, and we couldn't easily verify with Scorecard that we were doing the right thing. I'm not even sure we can modify Scorecard to also detect this use of Rulesets. So something that makes us look worse - and is harder to verify with an independent tool we use - seems like a drawback. Maybe we should at least implement this in Scorecard (if we can) first?

Again, though, I think this is a TAC decision.

@steiza
Copy link
Member

steiza commented Oct 24, 2024

There's no urgent need for us to move off of branch protection - I'm fine with us closing out this issue.

@marcelamelara
Copy link
Contributor Author

Thank you everyone for your feedback!

@marcelamelara marcelamelara closed this as not planned Won't fix, can't repro, duplicate, stale Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

10 participants