Skip to content

Enable override approval + Slack alerts on all promote callers#76

Merged
toddysm merged 2 commits into
mainfrom
feature/enable-slack-approval-callers
Jun 27, 2026
Merged

Enable override approval + Slack alerts on all promote callers#76
toddysm merged 2 commits into
mainfrom
feature/enable-slack-approval-callers

Conversation

@toddysm

@toddysm toddysm commented Jun 27, 2026

Copy link
Copy Markdown
Owner

Summary

Turns on the human-in-the-loop override approval path (and its Slack notifications) for all four promote-from-quarantine callers:

  • promote-from-quarantine-python.yml
  • promote-from-quarantine-node.yml
  • promote-from-quarantine-openjdk.yml
  • promote-from-quarantine-hardened-python.yml (SBOM)

Each caller now sets enable_approval: true and forwards the SLACK_WEBHOOK secret as slack_webhook. No reusable-workflow or action changes — this is configuration only; the underlying capability shipped in #72.

Behavior change

When an image fails the CVE gate, instead of being silently left in quarantine it now:

  1. opens (or refreshes) a promotion-pending tracking issue, and
  2. posts a Slack blocked-pending alert.

A maintainer then comments /approve or /deny to override or reject. See docs/guides/configuring-override-approval.md.

Required follow-up (repo admin)

Add the SLACK_WEBHOOK repository secret (Settings → Secrets and variables → Actions). Until then notify-slack no-ops with a warning and the issue is still opened, so nothing breaks.

Validation

  • VS Code get_errors clean on all four files (the SLACK_WEBHOOK "Context access might be invalid" lint is benign and disappears once the secret exists).

Turn on the human-in-the-loop override path for every promote-from-quarantine caller by setting enable_approval: true and forwarding the SLACK_WEBHOOK secret as slack_webhook. Blocked images now open a tracking issue and post a Slack notification for maintainer /approve or /deny.

Requires the SLACK_WEBHOOK repository secret; when absent the notify-slack action no-ops with a warning.
Copilot AI review requested due to automatic review settings June 27, 2026 23:14

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables the human-in-the-loop override approval path (including Slack notifications) across all promote-from-quarantine workflow callers by turning on enable_approval and forwarding the Slack webhook secret into the reusable workflows.

Changes:

  • Set enable_approval: true in all four promote-from-quarantine callers.
  • Forward ${{ secrets.SLACK_WEBHOOK }} into the reusable workflows as slack_webhook.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/promote-from-quarantine-python.yml Enables override approval and passes Slack webhook secret to the reusable promote workflow.
.github/workflows/promote-from-quarantine-node.yml Enables override approval and passes Slack webhook secret to the reusable promote workflow.
.github/workflows/promote-from-quarantine-openjdk.yml Enables override approval and passes Slack webhook secret to the reusable promote workflow.
.github/workflows/promote-from-quarantine-hardened-python.yml Enables override approval and passes Slack webhook secret to the SBOM-based reusable promote workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/promote-from-quarantine-python.yml
Comment thread .github/workflows/promote-from-quarantine-node.yml
Comment thread .github/workflows/promote-from-quarantine-openjdk.yml
Comment thread .github/workflows/promote-from-quarantine-hardened-python.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

Comment thread .github/workflows/promote-from-quarantine-python.yml
Comment thread .github/workflows/promote-from-quarantine-node.yml
Comment thread .github/workflows/promote-from-quarantine-openjdk.yml
Comment thread .github/workflows/promote-from-quarantine-hardened-python.yml
Copilot review on #76 noted that a caller's workflow-level permissions cap the reusable workflow's GITHUB_TOKEN. With enable_approval: true the notify job needs issues: write to open the promotion tracking issue, so the callers must grant it too. Add issues: write to all four promote-from-quarantine callers.
@toddysm

toddysm commented Jun 27, 2026

Copy link
Copy Markdown
Owner Author

Addressed Copilot's review: added issues: write to all four promote callers' workflow-level permissions (commit 3830657). A caller's workflow-level permissions cap the reusable workflow's GITHUB_TOKEN, so without it the notify job's issues: write would be capped and tracking-issue creation would 403 on blocked images.

@toddysm toddysm merged commit a51b60d into main Jun 27, 2026
3 checks passed
@toddysm toddysm deleted the feature/enable-slack-approval-callers branch June 27, 2026 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants