Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Configure Probot Settings app #77

Closed
wants to merge 1 commit into from
Closed

chore: Configure Probot Settings app #77

wants to merge 1 commit into from

Conversation

maxbrunet
Copy link
Collaborator

Changes:

This configures the Settings GitHub App, so anyone can suggest changes to the repository settings via pull requests, including labels.

Then, these settings can easily be copied to other repositories. Or there is support for inheritance from the renovatebot/.github, so some defaults settings could be centralized there, but skimming through the issues the behavior seems a little confusing or broken: probot/settings#inheritance

I will need the organization owner's approval from @rarkins to install the application in this repository (first repository using this app in the organization), its nature requires elevated permissions:

  • Write access to files located at .github/settings.yml
  • Read access to metadata
  • Read and write access to administration, code, commit statuses, issues, members, and repository projects

See also probot/settings#security-implications

Context:

Closes #59

Documentation

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@rarkins
Copy link
Collaborator

rarkins commented Dec 5, 2021

I think that the "Security Implications" described by this app are too serious and prefer not to install it. The trade-off between risk and benefit isn't strong enough.

@maxbrunet
Copy link
Collaborator Author

Agreeable, it seems trusted by other serious orgs like @cncf and @npm, and it would have been an experiment on a low-risk repository. Closing.

@maxbrunet maxbrunet closed this Dec 5, 2021
@maxbrunet maxbrunet deleted the chore/probot-settings branch December 5, 2021 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viceice viceice Awaiting requested review from viceice

@rarkins rarkins Awaiting requested review from rarkins

@HonkingGoose HonkingGoose Awaiting requested review from HonkingGoose

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Copy/paste status, priority and type labels from the Renovate repo
2 participants
@maxbrunet @rarkins