Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 114

Update security.md (#23265)

Browse source 
- Handbook default protected branches
- Remove table and point to settings so handbook is easier to maintain.
This commit is contained in:
Noah Talerman 2024-10-27 11:48:41 -04:00 committed by GitHub
parent abc15a217e
commit 0ba4a93f6d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
handbook/digital-experience/security.md
View file

@ -520,24 +520,9 @@ located in too many places and not security-related.
#### Branch protection
Branch protection is one of the most important settings to configure and the main reason we should not have members with administrative privileges on the repositories.
Located in the Branches section of repository settings, we create a rule for **main** that applies:
By default, Fleet protects branches with these names: `main`, `patch[_-*]`, `feature[_-*]`, `minor[_-*]`, `rc-minor[_-*]`, `rc-patch[_-*]`, and `fleet-v*`.
| Setting | Value | Note |
| ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- |
| Require a pull request before merging | ✅ | We enforce code reviews, which require PRs. |
| Require approvals | 1⃣ | We require approval from one person in the team. |
| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and change everything about it! |
| Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility |
| Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. |
| Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. |
| Require status checks to pass before merging | ✅ | Because of our [monorepo](https://en.wikipedia.org/wiki/Monorepo#:~:text=In%20version%20control%20systems%2C%20a,as%20a%20'shared%20codebase'.), it is hard to pick many checks that work for all types of PRs, but we still enable this. |
| Require conversation resolution before merging | 🚫 | Reviewers should not approve a pull request if they do not think it's ready for merging. |
| Require signed commits | 🗓 | We are working towards enabling this, manually keeping track of unverified commits. |
| Require linear history | 🚫 | We do not currently use or enforce practices to generate a linear history. |
| Include administrators | ✅ | We want these rules to apply to *everyone*. |
| Restrict who can push to matching branches | 🚫 | Anyone in our organization should be able to merge PRs that get reviewed, and nobody should be able to push directly. |
| Allow force pushes | 🚫 | We do not need this, so we do not allow it. |
| Allow deletions | 🚫 | We do not want ANYONE to be able to delete the *main* branch. |
To see the rules for protected branches, go tothe Branches section of repository settings.
### Scanning tools
Though not technically a part of GitHub itself, we feel like the security tools we use to scan our code, workflows, and GitHub configuration are part of our overall GitHub configuration.