Skip to content

feat: implement two-person reviewed check #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 12 commits into from
Closed

feat: implement two-person reviewed check #492

wants to merge 12 commits into from

Conversation

Yao-Wen-Chang
Copy link
Contributor

@Yao-Wen-Chang Yao-Wen-Chang commented Sep 28, 2023

Reference #439 closed PR.

Rules for this check:

  • The rate of passing the SLSA Level 4 two-person reviewed is define by " number_of_merged_and_approved_PRs / number_of_merged_PRs".
  • Excluding the situation of auto-merged by the dependent bot.
  • Check the PRs of the branch specified by the users. If the branch is not provided by the users, the check will apply to all branches.

This Graphql API is implemented in this check.

Exception for this check is required to be defined:

  • [First-parent history] In the case of a non-linear version control system, where a revision can have more than one parent, only the “first parent history” is in scope. In other words, when a feature branch is merged back into the main branch, only the merge itself is in scope.
  • [Historical cutoff] There is some TBD exception to allow existing projects to meet SLSA 3/4 even if historical revisions were present in the history. Current thinking is that this could be either last N months or a platform attestation guaranteeing that future changes in the next N months will meet the requirements.

Both the requirements listed are specified in SLSA requirement.
However, consider efficiency and achievability, the check will not consider these two exception in this moment.
[First-parent history] is required to check the commit as an unit, instead of the pull request as an unit. This will take more time to scan each repository.
[Historical cutoff] the definition is not clear, and fetching the attestation is impossible.

Some situations of the pull request when user provided commit-sha:
The check will consider the commit only instead of the entire pr. For example, the pr has been approved, then one user merged the target commit into the main branch. This merge is not further approved. The check will consider this commit has not been approved yet.

  • Raised by User, Merged by User, but not be Approved
  • Raised by Bot, Merged by User, and Approved by User

The design rule based on the situation:

  • When the commit is merged or raise by the bot, the check will not analyse the commit.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 28, 2023
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as draft September 29, 2023 00:21
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as ready for review October 3, 2023 07:08
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as draft October 5, 2023 23:21
@Yao-Wen-Chang Yao-Wen-Chang closed this by deleting the head repository May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant