Confirmed users
1,351
edits
GitHub/Repository Security/Problems and Options: Difference between revisions
GitHub/Repository Security/Problems and Options (view source)
Revision as of 22:07, 20 July 2018
, 20 July 2018Add "ours" merge strategy as option to force pushing to production
(Add problem with GitHub Apps & restricted commits) |
(Add "ours" merge strategy as option to force pushing to production) |
||
| Line 12: | Line 12: | ||
In the interim, the GitHub Apps can open PRs, but a human committer will need to merge them (or a bot using old style OAuth permissions). | In the interim, the GitHub Apps can open PRs, but a human committer will need to merge them (or a bot using old style OAuth permissions). | ||
== Branch protection should be enabled for production branches == | |||
Enabling branch protection both (a) prevents branch deletion, and (b) dis-allows force pushes to the branch. | |||
=== Problem: Our workflow uses force pushes to production to ensure we know what will be deployed. === | |||
There is another way to achieve the same goal, ''and'' make it easier for developers to update from production. The not well know [https://git-scm.com/docs/merge-strategies#merge-strategies-ours "ours" merge strategy] provides a way to achieve both: | |||
* Ensuring the head contains exactly the files you need, and | |||
* Allowing developers (and systems) to always apply Fast Forward updates. | |||
An example of using this workflow is [https://stackoverflow.com/a/45408573/5128493 described] on Stack Overflow. | |||
== Commits (including merges) to the production branch should be GPG signed. == | == Commits (including merges) to the production branch should be GPG signed. == | ||