From bcd885c1a9ba8471c6601cf2835150b6b0bcd763 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 16 Feb 2024 14:31:22 +0200 Subject: [PATCH] Add bot branch protection bypass in root-signing-staging (#403) * Remove unused custom role This was an attempt to allow a specific user/bot to bypass branch protections in a repository. Luckily we should not need the role after all. Signed-off-by: Jussi Kukkonen * Add sigstore-bot to root-signing-staging bypass list Allow sigstore-bot to bypass required pull requests: this is for the online signing. Also remove sigstore-reviewe-bot: it should not be needed. Signed-off-by: Jussi Kukkonen --------- Signed-off-by: Jussi Kukkonen --- github-sync/github-data/sigstore/repositories.yaml | 4 ++-- github-sync/github-data/sigstore/roles.yaml | 5 ----- 2 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 github-sync/github-data/sigstore/roles.yaml diff --git a/github-sync/github-data/sigstore/repositories.yaml b/github-sync/github-data/sigstore/repositories.yaml index 68ff083..014e891 100644 --- a/github-sync/github-data/sigstore/repositories.yaml +++ b/github-sync/github-data/sigstore/repositories.yaml @@ -1470,8 +1470,6 @@ repositories: permission: admin - username: sigstore-bot permission: push - - username: sigstore-review-bot - permission: push teams: - name: tuf-root-signing-staging-codeowners id: 8790813 @@ -1497,6 +1495,8 @@ repositories: - sigstore-bot dismissalRestrictions: - tuf-root-signing-staging-codeowners + pullRequestBypassers: + - sigstore-bot - pattern: publish enforceAdmins: true allowsDeletions: false diff --git a/github-sync/github-data/sigstore/roles.yaml b/github-sync/github-data/sigstore/roles.yaml deleted file mode 100644 index a09662e..0000000 --- a/github-sync/github-data/sigstore/roles.yaml +++ /dev/null @@ -1,5 +0,0 @@ -customRoles: - - name: write-with-bypass - baseRole: write - description: write role with an additional permission to bypass branch protection - permissions: [bypass_branch_protection]