Enable override approval + Slack alerts on all promote callers#76
Conversation
Turn on the human-in-the-loop override path for every promote-from-quarantine caller by setting enable_approval: true and forwarding the SLACK_WEBHOOK secret as slack_webhook. Blocked images now open a tracking issue and post a Slack notification for maintainer /approve or /deny. Requires the SLACK_WEBHOOK repository secret; when absent the notify-slack action no-ops with a warning.
There was a problem hiding this comment.
Pull request overview
Enables the human-in-the-loop override approval path (including Slack notifications) across all promote-from-quarantine workflow callers by turning on enable_approval and forwarding the Slack webhook secret into the reusable workflows.
Changes:
- Set
enable_approval: truein all four promote-from-quarantine callers. - Forward
${{ secrets.SLACK_WEBHOOK }}into the reusable workflows asslack_webhook.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/promote-from-quarantine-python.yml | Enables override approval and passes Slack webhook secret to the reusable promote workflow. |
| .github/workflows/promote-from-quarantine-node.yml | Enables override approval and passes Slack webhook secret to the reusable promote workflow. |
| .github/workflows/promote-from-quarantine-openjdk.yml | Enables override approval and passes Slack webhook secret to the reusable promote workflow. |
| .github/workflows/promote-from-quarantine-hardened-python.yml | Enables override approval and passes Slack webhook secret to the SBOM-based reusable promote workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Copilot review on #76 noted that a caller's workflow-level permissions cap the reusable workflow's GITHUB_TOKEN. With enable_approval: true the notify job needs issues: write to open the promotion tracking issue, so the callers must grant it too. Add issues: write to all four promote-from-quarantine callers.
|
Addressed Copilot's review: added |
Summary
Turns on the human-in-the-loop override approval path (and its Slack notifications) for all four promote-from-quarantine callers:
Each caller now sets
enable_approval: trueand forwards theSLACK_WEBHOOKsecret asslack_webhook. No reusable-workflow or action changes — this is configuration only; the underlying capability shipped in #72.Behavior change
When an image fails the CVE gate, instead of being silently left in quarantine it now:
promotion-pendingtracking issue, andblocked-pendingalert.A maintainer then comments
/approveor/denyto override or reject. See docs/guides/configuring-override-approval.md.Required follow-up (repo admin)
Add the
SLACK_WEBHOOKrepository secret (Settings → Secrets and variables → Actions). Until thennotify-slackno-ops with a warning and the issue is still opened, so nothing breaks.Validation
get_errorsclean on all four files (theSLACK_WEBHOOK"Context access might be invalid" lint is benign and disappears once the secret exists).