Skip to content

canonical/repo-policy-compliance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits

.github

.github

 
 

charm

charm

 
 

migrations

migrations

 
 

repo_policy_compliance

repo_policy_compliance

 
 

src-docs

src-docs

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

.licenserc.yaml

.licenserc.yaml

 
 

.woke.yaml

.woke.yaml

 
 

CODEOWNERS

CODEOWNERS

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

alembic.ini

alembic.ini

 
 

app.py

app.py

 
 

generate-src-docs.sh

generate-src-docs.sh

 
 

migrate.sh

migrate.sh

 
 

poetry.toml

poetry.toml

 
 

pyproject.toml

pyproject.toml

 
 

renovate.json

renovate.json

 
 

requirements.txt

requirements.txt

 
 

rockcraft.yaml

rockcraft.yaml

 
 

tox.ini

tox.ini

 
 

trivy.yaml

trivy.yaml

 
 

Repository files navigation

repo-policy-compliance

Tool to check a GitHub repository for compliance with policy

The module exposes several functions to check for compliance with the following policies:

  • target_branch_protection: That the branch targeted by a pull request has protection enabled and that rules cannot be bypassed. The requirement for reviews is relaxed for non-default branches where both the source and target branch are on the repository.
  • collaborators: Check that all outside collaborators of the project have at most read permissions.
  • execute_job: That a user with write permission or above has left the comment /canonical/self-hosted-runners/run-workflows <commit SHA> approving a workflow run for a specific commit SHA. Only applicable to forked source branches.
  • pull_request: Runs target_branch_protection, collaborators and execute_job.
  • workflow_dispatch: Runs collaborators.
  • push: Runs collaborators.
  • schedule: Runs collaborators.

These policies are designed for workflow runs in the context of a pull request.

Customizing Enabled Policies

Each of pull_request, workflow_dispatch, schedule and push accept a policy_document argument which can be used to change which policies are enabled. If supplied, it should be a dictionary that complies with the policy JSON schema.

If nothing is supplied for a particular policy (e.g., pull_request.target_branch_protection) it is treated as enabled.

Flask Blueprint

The functions are made available via a flask blueprint. This is designed to run in a single thread for simplicity.

The blueprint exposes an endpoint /always-fail/check-run that simulates a failing check to be used for testing purposes.

Running the Tests

To run the tests, the GITHUB_TOKEN environment variable must be set. This should be a classic token with all repo permissions and the delete repo permission. The delete repo permission is used to create forks to test forked branches. The commaned tox -e test can be used to run all the tests, which are primarily integration tests.

GitHub actions should be configured to have access to a similar token that is short lived, e.g., 7 days. If it expires, a new token needs to be set.

On GitHub actions, an expanded set of tests is run as the GITHUB_TOKEN for a bot is available which can be used to test things like comments from a user that does not have write permission or above.

About

Tool to check a GitHub repository for compliance with policy

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

3 stars

Watchers

8 watching

Forks

2 forks
Report repository

Releases 13

Revision 14 Latest
May 15, 2024
+ 12 releases

Packages 1

 

Contributors 9

Languages