Create new role for sigstore-bot in root-signing-staging (#395)

* Create new role for sigstore-bot in root-signing-staging * Role allows bypassing branch protections * This replaces the use of a separate review bot * Plan is to test this out in root-signing-staging, and later apply same structure to root-signing Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * roles: Use different toplevel field name The name is now consistently customRoles everywhere. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> * Custom role Use 'write' instead of 'push' as the base role In pulumi args permission "push" usually seems to mean Github role "write"... but that does not work for custom roles base role. Use 'write' as the base role. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com> --------- Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
sigstore · Feb 7, 2024 · 485faf7 · 485faf7
1 parent 9dbbc2f
commit 485faf7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/github-sync/github-data/sigstore/repositories.yaml b/github-sync/github-data/sigstore/repositories.yaml
@@ -1467,9 +1467,7 @@ repositories:
       - username: jku
         permission: admin
       - username: sigstore-bot
-        permission: push
-      - username: sigstore-review-bot
-        permission: push
+        permission: write-with-bypass
     teams:
       - name: tuf-root-signing-staging-codeowners
         id: 8790813

diff --git a/github-sync/github-data/sigstore/roles.yaml b/github-sync/github-data/sigstore/roles.yaml
@@ -0,0 +1,5 @@
+customRoles:
+  - name: write-with-bypass
+    baseRole: write
+    description: write role with an additional permission to bypass branch protection
+    permissions: [bypass_branch_protection]