Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bot accounts require clearer definition #386

Open
emalm opened this issue Aug 9, 2022 · 6 comments
Open

Bot accounts require clearer definition #386

emalm opened this issue Aug 9, 2022 · 6 comments

Comments

@emalm
Copy link
Member

emalm commented Aug 9, 2022

The TOC has been making room for working groups to add bot accounts in #375, #378, and other PRs, but we haven't clearly defined what constitutes a bot account and how they should be managed. Since these bot accounts have broad write permissions to repos within a working group area or within the entire working group, they are effectively approvers by proxy within the working group. Working groups and their areas also often use them to generate or to transfer release artifacts, so they present an attractive target for supply-chain attacks. Consequently, their definition and access should be handled with an appropriate degree of care.

The TOC and the working groups should agree on guidelines for:

  • What kinds of accounts should and should not be used as bot accounts
  • Which WG members should and should not have access to credentials for the bot account based on its scope in the WG
  • Where credentials for the bot account should be stored to promote inclusive and transparent management within the working group
  • What the process for adding and removing bot accounts should be
  • Whether bot accounts should use 2-factor auth, if possible within the constraints of automation or WG/area joint management
@emalm
Copy link
Member Author

emalm commented Aug 9, 2022

@cloudfoundry/wg-leads: the TOC would like to hear from you and your groups' approvers about what you're currently doing with bot accounts, so we can agree on some common guidelines for them as above. Thanks!

@gcapizzi
Copy link
Contributor

We use them in CI to:

  1. clone repositories;
  2. call the GitHub API for a variety of reasons:
    • poll for new PRs;
    • apply a special label to PRs that we identify as coming from approvers (this allows us to test PRs in CI safely);
    • poll for new releases of dependencies;
    • create new releases of our own;
    • set commit statuses.

@dlresende
Copy link
Contributor

FYI, Cryogenics is using bots just as @gcapizzi described in the comment above.

@emalm
Copy link
Member Author

emalm commented Aug 15, 2022

Thanks, @gcapizzi and @dlresende ! We'd also like to hear more about how you're administering the bot accounts and how you think the WG or area should manage credentials and authentication for them, in the interest of setting guidelines for WGs as outlined above.

@jochenehret
Copy link
Contributor

Same for the ARD WG, we have a few bots for cloning repos, pulling PRs and creating new releases.

@beyhan
Copy link
Member

beyhan commented Nov 17, 2023

This is still revenant and the TOC plans to look into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Inbox
Development

No branches or pull requests

5 participants