-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bot accounts require clearer definition #386
Comments
@cloudfoundry/wg-leads: the TOC would like to hear from you and your groups' approvers about what you're currently doing with bot accounts, so we can agree on some common guidelines for them as above. Thanks! |
We use them in CI to:
|
FYI, Cryogenics is using bots just as @gcapizzi described in the comment above. |
Thanks, @gcapizzi and @dlresende ! We'd also like to hear more about how you're administering the bot accounts and how you think the WG or area should manage credentials and authentication for them, in the interest of setting guidelines for WGs as outlined above. |
Same for the ARD WG, we have a few bots for cloning repos, pulling PRs and creating new releases. |
This is still revenant and the TOC plans to look into this. |
The TOC has been making room for working groups to add bot accounts in #375, #378, and other PRs, but we haven't clearly defined what constitutes a bot account and how they should be managed. Since these bot accounts have broad write permissions to repos within a working group area or within the entire working group, they are effectively approvers by proxy within the working group. Working groups and their areas also often use them to generate or to transfer release artifacts, so they present an attractive target for supply-chain attacks. Consequently, their definition and access should be handled with an appropriate degree of care.
The TOC and the working groups should agree on guidelines for:
The text was updated successfully, but these errors were encountered: