jeffmendoza
Repos
70
Followers
135
Following
2

Events

Insert conduct contact email in code-of-conduct.

Signed-off-by: Caleb Brown calebbrown@google.com

Merge pull request #59 from calebbrown/patch-2

Insert conduct contact email in code-of-conduct.

Created at 15 hours ago
Insert conduct contact email in code-of-conduct.

Signed-off-by: Caleb Brown calebbrown@google.com

Created at 15 hours ago
issue comment
Add the ability to allow exceptions to rules per-repository

Repo level config should be handled by the "RepoConfig" for each policy, ex: https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/binary#RepoConfig

This config is typically in the repo itself, under the ".allstar" directory. For example the repo "myrepo" would have the file ".allstar/binary_artifatcs.yaml" with the contents of a "RepoConfig".

However, if the org owner does not want to allow the individual repos to opt-out or set config on their own, they turn on the "disableRepoOverride" option. In that case the config found in the repo is usually ignored. For this situation, you can put a config file in the main ".allstar" repo for a specific repo, ex: "myrepo/binary_artifacts.yaml", this will be read and used even if "disableRepoOverride" is set to true.

We have attempted to explain this here https://github.com/ossf/allstar#repo-policy-configurations-in-the-org-repo not sure if it is clear enough. Original issue is #186

For the binary artifacts ignore options, we tried to make a bit restrictive at first (no glob), in an attempt to avoid people just putting "*". If you have a need for globs though, we should add it.

Created at 1 day ago
issue comment
Add optOutForkedRepos

Yes, this would be great! Looks like the fork field is filled out on repo-get. https://pkg.go.dev/github.com/google/go-github/v48/github#Repository.GetFork

Created at 3 days ago
issue comment
SECURITY-INSIGHTS.yml implementation

Yep, sounds great.

Created at 1 week ago
issue comment
Update examples

Yes, an examples directory would be great. Detailed docs on each policies options is on the wish list, we hope that the config struct definition comments are ok until we have that, ex: https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/outside#OrgConfig

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago
delete branch
jeffmendoza delete branch handle-suspend
Created at 2 weeks ago
closed issue
Handle suspended installation

We get the error below at https://github.com/ossf/allstar/blob/main/pkg/enforce/enforce.go#L212

Get "https://api.github.com/installation/repositories?per_page=100": could not refresh installation id 12345's token: received non 2xx response status "403 Forbidden" when fetching https://api.github.com/app/installations/12345/access_tokens

I just figured out this is when an installation is suspended https://docs.github.com/en/developers/apps/managing-github-apps/suspending-a-github-app-installation It comes up as an installation in the list, but we can't auth to make any calls.

Created at 2 weeks ago

Add check for suspended installations.

Signed-off-by: Jeff Mendoza jeffmendoza@google.com

Created at 2 weeks ago
pull request closed
Add check for suspended installations.

Fix #314

Created at 2 weeks ago

Add check for suspended installations.

Signed-off-by: Jeff Mendoza jeffmendoza@google.com

Created at 2 weeks ago
pull request opened
Add check for suspended installations.

Fix #314

Created at 2 weeks ago
create branch
jeffmendoza create branch handle-suspend
Created at 2 weeks ago
opened issue
Handle suspended installation

We get the error below at https://github.com/ossf/allstar/blob/main/pkg/enforce/enforce.go#L212

Get "https://api.github.com/installation/repositories?per_page=100": could not refresh installation id 12345's token: received non 2xx response status "403 Forbidden" when fetching https://api.github.com/app/installations/12345/access_tokens

I just figured out this is when an installation is suspended https://docs.github.com/en/developers/apps/managing-github-apps/suspending-a-github-app-installation It comes up as an installation in the list, but we can't auth to make any calls.

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago
issue comment
[Feature Request] Require review from Code Owners

Same as the other issue, happy to have more coverage of the BP options.

Created at 2 weeks ago
issue comment
[Feature Request] Require conversation resolution

Yes, sounds great. It would be good to have full coverage of all the branch protection options.

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago

Update branch_protection.yaml

Created at 2 weeks ago
jeffmendoza delete branch jeffmendoza-patch-1
Created at 2 weeks ago

Update allstar.yaml

Merge pull request #3 from jeffmendoza-test-org/jeffmendoza-patch-1

Update allstar.yaml

Created at 2 weeks ago
Update allstar.yaml
Created at 2 weeks ago
Update allstar.yaml
Created at 2 weeks ago
jeffmendoza create branch jeffmendoza-patch-1
Created at 2 weeks ago
issue comment
Is the OpenSSF hosted instance viable for commercial use?

We don't have a detailed doc, just the brief description here: https://github.com/ossf/allstar#installation-options Of course the code is open source, and could be searched/indexed for api calls, but I understand how an overview would be very helpful. I do believe we are asking for more read permissions than required with the expectation that we can implement new policies in the future.

Created at 3 weeks ago
issue comment
Is the OpenSSF hosted instance viable for commercial use?

Hi, thanks for the interest. We use the OpenSSF instance for Google currently, so it is sound enough for serious use. That said it is a bit slow because of the number of installations, and has a 24-48 hour turnaround time, to close fixed issues for example.

As far as trust goes, you would be trusting me as the operator of the app. Currently I'm the only operator, but this is a volunteer based instance.

The admin:write is used to allow Allstar the "fix" action on Branch Protection. You can set your required settings, and Allstar will apply that to all your repos if they don't meet the minimum settings. The tutorial needs to be updated as the fix action was added later.

Created at 3 weeks ago