Update organization level policy for Microsoft Graph #9
Conversation
MIchaelMainer
requested review from
a team,
darrelmiller,
ddyett,
goelhardik,
jasonjoh and
shemogumbe
|
@jeffwilcox Does the "Remove from repositories" for the branch protection rules mean that the rules set in this PR will not apply to that count of repos? Also, does it override all settings found in the organization settings UI? |
|
@MIchaelMainer correct on the remove from, however, I think it may be a side effect of how you're using multiple policy files to apply differently. would be a good question for that team to confirm. Once you choose to use the policy enforcement mechanism this all overrides all UI choice - so you cannot use the UI any more - so it will be a learning experience to use this. |
|
This is a big step forward to centralize our branch protection and policy work. @jeffwilcox if I'm understanding you correctly, the centralized policy replaces any previously configured policies on the individual repos? I'm curious how this interacts with existing branch protection rules requiring specific workflows to run, e.g. our CI workflows. Do they now become optional? Will they trigger? Can we enforce that CI builds pass before a PR can be merged? |
|
@gavinbarron I'm not best to answer your questions on the specifics - we aren't using these policies anywhere else in our open source presence today, so I think if anything this is a bit of a pilot. Any existing configuration is likely overwritten by this. It might make sense to test some of this somehow with a smaller applicability filter? |
|
@gavinbarron yes, the policy will delete existing rules for branches and overwrite them with the rules specified in the policy-file. @MIchaelMainer yes, the remove from is triggered by the filters you set up. It will essentially exclude these repos when enabling the specified policy. |
Once you put the policy in place, the rules in the policy will have total control and undo any changes you attempt to make to the branch protection rules via the UI. You can add policies at the repository level to add additional rules to what is specified at the organization level. For example, the In general, be careful with the |
baywet
left a comment
baywet
left a comment
There was a problem hiding this comment.
Great to see this moving forward, thanks for taking care of it!
| # Require status checks to pass before merging. TODO: this value should be true, we should work to support this. | ||
| # Used with the requiredStatusChecks setting to specify which checks must pass for the PR to be merged. | ||
| requiresStrictStatusChecks: false | ||
| # TODO: all commits should be signed. We need to get everyone signing their commits. |
There was a problem hiding this comment.
let me know if you want me to drop my setup script somewhere in a doc
There was a problem hiding this comment.
Can you provide me with a link to your script so I can add it to my planning doc?
There was a problem hiding this comment.
#this line is only for windows, we'll need to document the equivalent for linux and mac
winget install GnuPG.Gpg4win
#generate a certificate, the email must match for the line below, upload the public key to github sign keys, get the certificate thumbprint. For all those steps, see the blog post below
git config user.email <microsoft-email>
git config user.signingkey <certificateThumbprint>
git config user.name <FirstNameLastName>
git config commit.gpgsign true
git config tag.gpgsign true
# this line is only needed for windows
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
# for linux/mac if the $PATH is setup to include gpg, it should not be neededNote: add --global to configure for all repos
https://jamesmckay.net/2016/02/signing-git-commits-with-gpg-on-windows/
|
Thank you everyone for this very helpful discussion. It is now very clear that requiredStatusChecks should probably not be set at the org-level unless there is a very broad scenario across all of our repos we should check. Due to the potential for disruption, @gavinbarron and myself will set aside sometime on Monday to do a pilot change to the org-policy for the https://github.com/microsoftgraph/microsoft-graph-toolkit repository. We will apply all of the changes above to just this repository. We just need to confirm whether we can use the @markphip @JohannesLampel Is the |
|
@MIchaelMainer yes it is. |
|
We are putting this PR on hold until Gavin and I validate the changes on just MGT. |
| requiredApprovingReviewsCount: | ||
| min: 1 | ||
| # Must have a CODEOWNER approve for the PR to be merged. | ||
| requireCodeOwnersReview: true |
There was a problem hiding this comment.
With just one owner, we have a situation where the code owner is away on leave for a considerably long period of time, and there are no secondary owners. Would this be a challenge that slows down work output
There was a problem hiding this comment.
Thank you Shem for bringing this up. We should always have secondary owners setup. We should pull in this change until we have GitHub team setup so we can easily add new CODEOWNERS without requiring PRs. I'll make sure I get your review on the GitHub teams management document so that we get this addressed.
|
Total execution time: 38.51 seconds |
This PR contains changes to organization policy that will result in requiring:
Future work in support of policy updates:
CLI command to get all public repositories