Skip to content

Update organization level policy for Microsoft Graph #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MIchaelMainer wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Update organization level policy for Microsoft Graph #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ed09239
- add secret, code, and dependency scanning
MIchaelMainer Apr 21, 2023
7cb4c4a
- add branch protection rules for SDK repos
MIchaelMainer Apr 21, 2023
d33930d
- branch protection for apps, services, and tools
MIchaelMainer Apr 24, 2023
16cdfdf
- sort alpha repo names in where clause
MIchaelMainer Apr 24, 2023
230f611
- verify valid repo list
MIchaelMainer Apr 24, 2023
b3bd002
- add LICENSE and CODE_OF_CONDUCT
MIchaelMainer Apr 24, 2023
df0c406
- sort bypassusers
MIchaelMainer Apr 24, 2023
3dce93a
- added copyright+license to platoformcontext
MIchaelMainer Apr 24, 2023
8351b3b
- add mandatory file policy for public repositories
MIchaelMainer Apr 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions policies/advancedsecurity.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

name: Advanced Security Settings
description: SDL Requirements

resource: repository
configuration:
advancedSecurity:
# Enable code and secret scanning on all repositories
secretScanning: true
# Prevent push of secrets, requires secretScanning: true
secretScanningPushProtection: true
# If a dependency has been added or modified, check for vulnerabilities.
enablePrCheck: true
# PR check will fail if the severity of the code, secret, or dependency scan is Moderate, High, or Critical
failOnSeverity: Moderate
# Specify exceptions to TEMPORARILY allow a specific vulnerability.
allowGhasVulnerability: []
63 changes: 63 additions & 0 deletions policies/branch-protection-apps-services.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

name: branch_protection_apps_services
description: Organization branch protection policy for Microsoft Graph applications, services, and tools.
resource: repository
where:
- |
repository.name.contains("agora", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("kibali", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("csdl-diagrams", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.startsWith("microsoft-graph-devx", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("microsoft-graph-explorer-v4", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-developer-proxy", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-github-content-utility", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-metadata", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-permissions-scraper", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-ps-compatibility-azuread", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-samples-dashboard", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("MSGraph-SDK-Code-Generator", StringComparison.InvariantCultureIgnoreCase)
configuration:
branchProtectionRules:
- branchNamePattern: main
requiredApprovingReviewsCount:
min: 1
# Must have a CODEOWNER approve for the PR to be merged.
requireCodeOwnersReview: true
Copy link

@shemogumbe shemogumbe May 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With just one owner, we have a situation where the code owner is away on leave for a considerably long period of time, and there are no secondary owners. Would this be a challenge that slows down work output

Copy link
Contributor Author

@MIchaelMainer MIchaelMainer May 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Shem for bringing this up. We should always have secondary owners setup. We should pull in this change until we have GitHub team setup so we can easily add new CODEOWNERS without requiring PRs. I'll make sure I get your review on the GitHub teams management document so that we get this addressed.

# Require status checks to pass before merging. TODO: this value should be true, we should work to support this.
# Used with the requiredStatusChecks setting to specify which checks must pass for the PR to be merged.
requiresStrictStatusChecks: false
# TODO: all commits should be signed. We need to get everyone signing their commits.
requiresCommitSignatures: false
# Dismiss stale pull request approvals when new commits are pushed
dismissStaleReviews: true
# Require conversation resolution before merging. Address all concerns, and resolve in the GitHub PR UI.
requiresConversationResolution: true
- branchNamePattern: "master"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
- branchNamePattern: "dev"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
- branchNamePattern: "[Rr]elease/*"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
59 changes: 59 additions & 0 deletions policies/branch-protection-sdks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

name: branch_protection_sdks
description: Organization branch protection policy for Microsoft Graph SDKs
resource: repository
where:
- |
repository.name.startsWith("msgraph-sdk-", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.startsWith("msgraph-beta-sdk-", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-cli", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-cli-core", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-beta-cli", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-beta-typescript-typings", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("msgraph-typescript-typings", StringComparison.InvariantCultureIgnoreCase)
|| repository.name.equals("microsoft-graph-toolkit", StringComparison.InvariantCultureIgnoreCase)
configuration:
branchProtectionRules:
- branchNamePattern: main
requiredApprovingReviewsCount:
min: 1
# Must have a CODEOWNER approve for the PR to be merged.
requireCodeOwnersReview: true
# Require status checks to pass before merging. TODO: this value should be true, we should work to support this.
# Used with the requiredStatusChecks setting to specify which checks must pass for the PR to be merged.
requiresStrictStatusChecks: false
# TODO: all commits should be signed. We need to get everyone signing their commits.
Copy link
Member

@baywet baywet Apr 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me know if you want me to drop my setup script somewhere in a doc

Copy link
Contributor Author

@MIchaelMainer MIchaelMainer Apr 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide me with a link to your script so I can add it to my planning doc?

Copy link
Member

@baywet baywet Apr 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

#this line is only for windows, we'll need to document the equivalent for linux and mac
winget install GnuPG.Gpg4win
#generate a certificate, the email must match for the line below, upload the public key to github sign keys, get the certificate thumbprint. For all those steps, see the blog post below
git config user.email <microsoft-email>
git config user.signingkey <certificateThumbprint>
git config user.name <FirstNameLastName>
git config commit.gpgsign true
git config tag.gpgsign true
# this line is only needed for windows
git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe"
# for linux/mac if the $PATH is setup to include gpg, it should not be needed

Note: add --global to configure for all repos

https://jamesmckay.net/2016/02/signing-git-commits-with-gpg-on-windows/

requiresCommitSignatures: false
# Dismiss stale pull request approvals when new commits are pushed
dismissStaleReviews: true
# Require conversation resolution before merging. Address all concerns, and resolve in the GitHub PR UI.
requiresConversationResolution: true
- branchNamePattern: "master"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
- branchNamePattern: "dev"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
- branchNamePattern: "[Rr]elease/*"
requiredApprovingReviewsCount:
min: 1
requireCodeOwnersReview: true
requiresStrictStatusChecks: false
requiresCommitSignatures: false
dismissStaleReviews: true
requiresConversationResolution: true
dismissStaleReviews: true
179 changes: 95 additions & 84 deletions policies/cla.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,112 +1,123 @@
name: Contributor License Agreement Policy
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

name: Contributor License Agreement Policy
description: CLA policy file

resource: repository

configuration:
configuration:
cla:
content: https://raw.githubusercontent.com/microsoft/.github/main/CLA/microsoft.yml
minimalChangeRequired:
minimalChangeRequired:
files: 2
codeLines: 16
bypassOrgs:
- bloomberg
bypassUsers:
- dependabot[bot]
- greenkeeper[bot]
- dotnet-maestro[bot]
- dependabot-preview[bot]
- openapi-sdkautomation[bot]
- github-actions[bot]
- content-assistant[bot]
- reunion-maestro[bot]
- renovate[bot]
- microsoft-github-policy-service[bot]
- msftbot[bot]
- azure-pipelines[bot]
- CBL-Mariner-Bot
- pbicvbot
- acomghbot
- acomghbot
- ActivityWatchBot
- agentoffline-bot
- akri-bot
- ALGitHubBot
- ansibleazurebot
- anton-bot
- ascforiotbot
- audevbot
- azclibot
- azure-pipelines[bot]
- azure-pipelines-bot
- azure-powershell-bot
- azuresdkciprbot
- dotnet-corert-bot
- iotgwbot
- LordBobbot
- qa-bot
- winobjc-bot
- mukaibot
- edtbot
- tecbot
- nzspambot
- SoundBot
- dn-helix-agents-bot
- wslbot
- dotnet-bot
- benrobot
- typescript-bot
- ansibleazurebot
- wdkbot
- deanbot
- OutlookBot
- ALGitHubBot
- blackrobot
- azure-pipelines-bot
- uefibot
- flinchbot
- MicrosoftIssueBot
- agentoffline-bot
- officedocsbot
- vswdbot
- thisisnotarobot
- CBL-Mariner-Bot
- content-assistant[bot]
- coreosbot
- McCoyBot
- audevbot
- csd-automationbot
- ascforiotbot
- rnbot
- MixedRealitySpectatorViewBot
- UI-Fabric-RN-Bot
- dotnet-maestro-bot
- anton-bot
- WorkingRobot
- azclibot
- deanbot
- dependabot[bot]
- dependabot-preview[bot]
- dn-helix-agents-bot
- dokku-bot
- dotnet-bot
- dotnet-corert-bot
- dotnet-docker-bot
- rnsdkbot
- dotnet-maestro[bot]
- dotnet-maestro-bot
- dotnet-winget-bot
- edtbot
- engelbot
- flinchbot
- github-actions[bot]
- goodboyrobot
- greenkeeper[bot]
- inclusive-coding-bot
- iotgwbot
- jenfoxbot
- MSLearnBot
- wingetbot
- azure-powershell-bot
- ninjarobot
- leha-bot
- sasabot
- akri-bot
- dokku-bot
- testplatform-bot
- microsoft-golang-bot
- RunTheBot
- julien-lebot
- zangobot
- learn-build-service-ppe[bot]
- learn-build-service-prod[bot]
- learn-build-service-test[bot]
- leha-bot
- liurunliang-bot
- LizardByte-bot
- LordBobbot
- McCoyBot
- meo-autobot
- acomghbot
- upgradvisor-bot
- oberonbot
- PylanceBot
- microsoft-github-policy-service[bot]
- microsoft-golang-bot
- MicrosoftIssueBot
- MixedRealitySpectatorViewBot
- msftbot[bot]
- MSLearnBot
- mukaibot
- nfbot
- pulumi-bot
- engelbot
- inclusive-coding-bot
- dotnet-winget-bot
- trustedroots-bot
- polymcbot
- LizardByte-bot
- goodboyrobot
- ActivityWatchBot
- ninjarobot
- nzspambot
- oberonbot
- officedocsbot
- OhMyGuus-Bot
- opbld15
- opbld16
- opbld17
- opbld27
- openapi-sdkautomation[bot]
- openpublishbuild
- OutlookBot
- pbicvbot
- playwrightmachine
- podman-desktop-bot
- liurunliang-bot
- polymcbot
- prmerger-test[bot]
- learn-build-service-test[bot]
- learn-build-service-ppe[bot]
- learn-build-service-prod[bot]
- pulumi-bot
- PylanceBot
- qa-bot
- renovate[bot]
- reunion-maestro[bot]
- rnbot
- rnsdkbot
- RunTheBot
- sasabot
- SoundBot
- tecbot
- testplatform-bot
- thisisnotarobot
- trustedroots-bot
- typescript-bot
- uefibot
- UI-Fabric-RN-Bot
- upgradvisor-bot
- VSC-Service-Account
- vswdbot
- wdkbot
- wingetbot
- winobjc-bot
- WorkingRobot
- wslbot
- zangobot

prohibitedCompanies:
- msft
- microsoft
Expand Down
Loading