From 0ba4a93f6d752bcde6a2487b86bf945db0714c4c Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Sun, 27 Oct 2024 11:48:41 -0400 Subject: [PATCH] Update security.md (#23265) - Handbook default protected branches - Remove table and point to settings so handbook is easier to maintain. --- handbook/digital-experience/security.md | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/handbook/digital-experience/security.md b/handbook/digital-experience/security.md index 46bbbf31ed2e..0d7706aea20d 100644 --- a/handbook/digital-experience/security.md +++ b/handbook/digital-experience/security.md @@ -520,24 +520,9 @@ located in too many places and not security-related. #### Branch protection Branch protection is one of the most important settings to configure and the main reason we should not have members with administrative privileges on the repositories. -Located in the Branches section of repository settings, we create a rule for **main** that applies: - -| Setting | Value | Note | -| ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- | -| Require a pull request before merging | ✅ | We enforce code reviews, which require PRs. | -| Require approvals | 1️⃣ | We require approval from one person in the team. | -| Dismiss stale pull request approvals when new commits are pushed | ✅ | Without this, someone could get approval for a small, very nice PR and change everything about it! | -| Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility | -| Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. | -| Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. | -| Require status checks to pass before merging | ✅ | Because of our [monorepo](https://en.wikipedia.org/wiki/Monorepo#:~:text=In%20version%20control%20systems%2C%20a,as%20a%20'shared%20codebase'.), it is hard to pick many checks that work for all types of PRs, but we still enable this. | -| Require conversation resolution before merging | 🚫 | Reviewers should not approve a pull request if they do not think it's ready for merging. | -| Require signed commits | 🗓 | We are working towards enabling this, manually keeping track of unverified commits. | -| Require linear history | 🚫 | We do not currently use or enforce practices to generate a linear history. | -| Include administrators | ✅ | We want these rules to apply to *everyone*. | -| Restrict who can push to matching branches | 🚫 | Anyone in our organization should be able to merge PRs that get reviewed, and nobody should be able to push directly. | -| Allow force pushes | 🚫 | We do not need this, so we do not allow it. | -| Allow deletions | 🚫 | We do not want ANYONE to be able to delete the *main* branch. | +By default, Fleet protects branches with these names: `main`, `patch[_-*]`, `feature[_-*]`, `minor[_-*]`, `rc-minor[_-*]`, `rc-patch[_-*]`, and `fleet-v*`. + +To see the rules for protected branches, go tothe Branches section of repository settings. ### Scanning tools Though not technically a part of GitHub itself, we feel like the security tools we use to scan our code, workflows, and GitHub configuration are part of our overall GitHub configuration.