Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(repo settings): approve build mechanism for pull_request events #328

Merged
merged 9 commits into from
Nov 27, 2023

Conversation

ecrupper
Copy link
Contributor

DESCRIPTION

Inspired by this behavior that GH Actions is able to do.

This functionality would protect our user base from untrusted sources executing pipelines without approval. It is also much more tenable to provide this capability rather than show warnings like this.

This security enhancement was made possible by the temporary storage of compiled build objects (main PR for that). Using this, we can put builds on the ice box while they await approval.

The below diagrams illustrate this process (note the two DB icons are the same database, just duplicated for readability):

BEFORE

Screenshot 2023-10-10 at 2 24 22 PM

AFTER

Screenshot 2023-10-10 at 2 25 38 PM

MISC

As an aside, this will close all these open PRs for trying to differentiate PR events from forks:
Closes #271
Closes go-vela/server#727
Closes go-vela/ui#593

@ecrupper ecrupper requested a review from a team as a code owner October 10, 2023 19:32
@codecov
Copy link

codecov bot commented Oct 10, 2023

Codecov Report

Merging #328 (30b8593) into main (e7d5019) will increase coverage by 0.03%.
The diff coverage is 100.00%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #328      +/-   ##
==========================================
+ Coverage   96.35%   96.38%   +0.03%     
==========================================
  Files          62       62              
  Lines        6859     6920      +61     
==========================================
+ Hits         6609     6670      +61     
  Misses        181      181              
  Partials       69       69              
Files Coverage Δ
database/build.go 100.00% <100.00%> (ø)
database/repo.go 98.30% <100.00%> (+0.04%) ⬆️
library/build.go 100.00% <100.00%> (ø)
library/repo.go 100.00% <100.00%> (ø)
webhook.go 100.00% <ø> (ø)

Comment on lines +30 to +32
// ApproveOnce defines the CI strategy of having a repo administrator approve
// all builds triggered from an outside contributor if this is their first time contributing.
ApproveOnce = "first-time"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A note on this: I am adding this constant as more of a To-Do. I don't have actual functionality for this coded up, but would create a follow-up story to implement this at a later point.

cognifloyd
cognifloyd previously approved these changes Oct 19, 2023
library/repo.go Outdated Show resolved Hide resolved
Co-authored-by: Jacob Floyd <[email protected]>
cognifloyd
cognifloyd previously approved these changes Oct 20, 2023
timhuynh94
timhuynh94 previously approved these changes Oct 24, 2023
@ecrupper
Copy link
Contributor Author

Slotting for v0.23

@ecrupper ecrupper marked this pull request as draft October 24, 2023 18:41
@ecrupper ecrupper marked this pull request as ready for review November 14, 2023 16:39
Copy link
Member

@wass3rw3rk wass3rw3rk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a couple of comments

consider other forms of approval?

i wonder if we want to decouple this from fork builds more (at the least the bit attached to the repo object) and maybe push that aspect to the value(s) you can provide. reason is to avoid potential issues later when we want to (maybe?) support other types of approval? for example, maybe we want to support approval for tag builds as these are often associated with prod deploys.

on the other hand, if you wanted this functionality, i think you can kind of get there with deployments today by utilizing https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers . that is, send a deployment request via Vela, and then it hangs out in GitHub until someone approves. once approved it sends off the webhook for the deployment to Vela. i haven't tested this, tbh.

some folks also get more creative to get to similar functionality, like https://trstringer.com/github-actions-manual-approval/ for github actions, for example.

track approver

i think there would be additional interest to track who approved a build (and maybe when?) from audit perspective. should we attach to build?

any thoughts on those?

@ecrupper ecrupper dismissed stale reviews from timhuynh94 and cognifloyd via a668d28 November 26, 2023 15:42
@ecrupper
Copy link
Contributor Author

@wass3rw3rk Included auditing and put the fork terminology in the constants rather than the field name with latest commit. Let me know what you think!

cognifloyd
cognifloyd previously approved these changes Nov 26, 2023
timhuynh94
timhuynh94 previously approved these changes Nov 27, 2023
webhook.go Outdated Show resolved Hide resolved
@ecrupper ecrupper dismissed stale reviews from timhuynh94 and cognifloyd via b810497 November 27, 2023 16:26
wass3rw3rk
wass3rw3rk previously approved these changes Nov 27, 2023
@ecrupper ecrupper merged commit b43cd77 into main Nov 27, 2023
10 checks passed
@ecrupper ecrupper deleted the feat/fork-pr-approve-build branch November 27, 2023 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants