Customize the policy-bot PR title to enable wildcard matching on branches about policy-bot HOT 8 OPEN

The name of the branch in the status check is intentionally to prevent cases where a policy could be updated on a less secure branch without being properly approved. See this comment in #57 for a better explaination

from policy-bot.

So is the only solution for me to manually go to every release branch in GHE (and remember to do this forever into the future when we cut release branches) and ensure that the status check requirement is checked?

from policy-bot.

I'm open to other solutions too, I just proposed the first one that came to mind since it was clearly the most obvious one.

from policy-bot.

I'm curious if there has been any development in this area. This seems like a pretty major issue for any repository that happens to cut release branches.

from policy-bot.

@jamestoyer I understand security concerns, but maybe check name could be made configurable - to contain branch or not? We have about 30 repos with up to 10 hotfix-x.x branches. Right now there is a wildcard filter in the protection rule, it will be quite hard for us to create new rules with every release when we create a new hotfix branch in every repo. And our developers are pretty honest to not do magic with retargeting PRs.

from policy-bot.

I'm not sure if @jamestoyer still actively contributing here.

@bluekeyes maybe you can share your thoughts? Is the idea to add an option to remove branch from check name sounds reasonable and if yes - is there a possibility that this could be added in near future?

from policy-bot.

Its configurable at the server level by using the post_insecure_status_checks option.

Given that this issue is a pretty easy hole to exploit, we're likely not looking to make this option easier to foot gun.

from policy-bot.

Thanks @asvoboda, will give it a try.

from policy-bot.