root-signing: Prepare for tuf-on-ci migration (#451)

* root-signing: Prepare for tuf-on-ci migration As part of sigstore/root-signing#1247 root-signing requires some project setting changes: * Allow and encourage merge commits: signing event branches are collaboration branches where individual commits have different authors and actual meaning. * Do not require linear history: signing events make sense as slightly longer lived branches: preserving this history make sense * Remove two required checks that are replaced by tuf-on-ci checks (which can be made required in a later commit) * Add branch protection for "publish" * Modify branch protection for "main": * Remove sigstore-keyholders from pushRestrictions list: this looks like a mistake, keyholders should not have permissions for main * Add sigstore-bot as a PR bypasser (this is how online signing happens) Signed-off-by: Jussi Kukkonen <[email protected]> * root-signing: Also remove dismissal permissions from keyholders It looks like the team may not even be needed in the end so make sense to remove this fairly inconsequential permission as well. Signed-off-by: Jussi Kukkonen <[email protected]> --------- Signed-off-by: Jussi Kukkonen <[email protected]>
sigstore · Jun 20, 2024 · 7bcd31b · 7bcd31b
1 parent 2968324
commit 7bcd31b
Showing 1 changed file with 24 additions and 9 deletions.
diff --git a/github-sync/github-data/sigstore/repositories.yaml b/github-sync/github-data/sigstore/repositories.yaml
@@ -1396,13 +1396,13 @@ repositories:
     webCommitSignoffRequired: true
   - name: root-signing
     owner: sigstore
-    description: ""
+    description: "TUF repository for Sigstore trust root"
     homepageUrl: ""
     defaultBranch: main
     allowAutoMerge: true
-    allowMergeCommit: false
-    allowRebaseMerge: true
-    allowSquashMerge: true
+    allowMergeCommit: true
+    allowRebaseMerge: false
+    allowSquashMerge: false
     archived: false
     autoInit: false
     deleteBranchOnMerge: true
@@ -1437,7 +1437,7 @@ repositories:
         enforceAdmins: true
         allowsDeletions: false
         allowsForcePushes: false
-        requiredLinearHistory: true
+        requiredLinearHistory: false
         dismissStaleReviews: true
         requiredApprovingReviewCount: 1
         requireLastPushApproval: true
@@ -1447,16 +1447,31 @@ repositories:
           - yamllint
           - test
           - lint
-          - validate
-          - client
         pushRestrictions:
           - tuf-root-signing-codeowners
-          - sigstore-keyholders
           - sigstore-bot
           - sigstore-review-bot
         dismissalRestrictions:
           - tuf-root-signing-codeowners
-          - sigstore-keyholders
+        pullRequestBypassers:
+          - sigstore-bot
+      - pattern: publish
+        enforceAdmins: true
+        allowsDeletions: false
+        allowsForcePushes: false
+        requiredLinearHistory: false
+        dismissStaleReviews: true
+        requiredApprovingReviewCount: 1
+        requireLastPushApproval: true
+        restrictDismissals: true
+        pushRestrictions:
+          - tuf-root-signing-codeowners
+          - sigstore-bot
+          - sigstore-review-bot
+        dismissalRestrictions:
+          - tuf-root-signing-codeowners
+        pullRequestBypassers:
+          - sigstore-bot
       - pattern: test-ceremony/*
         enforceAdmins: true
         allowsDeletions: false