Skip to content

feat: implement two-person reviewed check #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 12 commits into from
Closed

feat: implement two-person reviewed check #492

wants to merge 12 commits into from

Conversation

Yao-Wen-Chang
Copy link
Contributor

@Yao-Wen-Chang Yao-Wen-Chang commented Sep 28, 2023
edited
Loading

Reference #439 closed PR.

Rules for this check:

  • The rate of passing the SLSA Level 4 two-person reviewed is define by " number_of_merged_and_approved_PRs / number_of_merged_PRs".
  • Excluding the situation of auto-merged by the dependent bot.
  • Check the PRs of the branch specified by the users. If the branch is not provided by the users, the check will apply to all branches.

This Graphql API is implemented in this check.

Exception for this check is required to be defined:

  • [First-parent history] In the case of a non-linear version control system, where a revision can have more than one parent, only the “first parent history” is in scope. In other words, when a feature branch is merged back into the main branch, only the merge itself is in scope.
  • [Historical cutoff] There is some TBD exception to allow existing projects to meet SLSA 3/4 even if historical revisions were present in the history. Current thinking is that this could be either last N months or a platform attestation guaranteeing that future changes in the next N months will meet the requirements.

Both the requirements listed are specified in SLSA requirement.
However, consider efficiency and achievability, the check will not consider these two exception in this moment.
[First-parent history] is required to check the commit as an unit, instead of the pull request as an unit. This will take more time to scan each repository.
[Historical cutoff] the definition is not clear, and fetching the attestation is impossible.

Some situations of the pull request when user provided commit-sha:
The check will consider the commit only instead of the entire pr. For example, the pr has been approved, then one user merged the target commit into the main branch. This merge is not further approved. The check will consider this commit has not been approved yet.

  • Raised by User, Merged by User, but not be Approved
  • Raised by Bot, Merged by User, and Approved by User

The design rule based on the situation:

  • When the commit is merged or raise by the bot, the check will not analyse the commit.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 28, 2023
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as draft September 29, 2023 00:21
@Yao-Wen-Chang Yao-Wen-Chang mentioned this pull request Sep 29, 2023
Closed
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as ready for review October 3, 2023 07:08
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as draft October 5, 2023 23:21
@Yao-Wen-Chang
feat: implement two-person reviewed check
77faaf8 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: import Any type
4fb191b 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: foreign key in two-person check
f36abab 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: temp delete two-person check test Failed
f35ba95 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: change the logic in the check
f9557ea 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: modify expected result from integration test
2f4b522 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: moving to graphql in two-person check
544c531 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: modify expected result
2380be6 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: delete unused import
a84102f 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: filter merged by dependent bot
07207b1 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: enable check based on the commit sha
5b36630 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang
fix: check rule when the bot engage
48e1c45 
Signed-off-by: Yao-Wen Chang <[email protected]>
@Yao-Wen-Chang Yao-Wen-Chang closed this by deleting the head repository May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai is a code owner

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Yao-Wen-Chang