Do not enforce branch protection in Headlamp #34950
Conversation
Signed-off-by: Joaquim Rocha <[email protected]>
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: joaquimrocha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @joaquimrocha! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @joaquimrocha. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/XS
k8s-ci-robot
requested review from
cblecker,
chases2,
MadhavJivrajani and
Priyankasaggu11929
|
We don't typically allow this, as we enforce things like the CLA on all branches. Are you just trying to purge some branches? |
|
The way we were developing when we were a CNCF Sandbox project was that we'd just create new branches in the main repo (development directly in the main repo, which is a common use-case I believe), and when these were merged, we'd delete them. We had lots of WIP and left over branches which we were supposed to spring clean for a while but hadn't done it yet. With the current enforcement, I'd have to go branch by branch in Github (or use the rest API) to stop the protection in order to delete it. Besides, we had to change the way we were developing and lots the fact that anyone in the team could just push to existing PR branches. To overcome this we even created a new fork of Headlamp so we all share the ability to push. Yet, the CI actions we got keeps failing because if something goes wrong and we re-run it, the temporary branches already exist and as a result every release is being problematic. I believe enforcing the CLA for PRs is fine but we are not allowed to force push nor delete regardless of the branch and I think this only makes sense for the main branch in our case. What is the rationale behind preventing force-push/delete on "non-static" branches? |
|
We have done a PoC previously on "feature branches" to allow for collaborative development in the main repo, and it ended up not being a pattern that wasn't sustainable so support was discontinued. The typical development flow is to have a personal fork of the repo, and then PR from that personal fork into the kubernetes project repo. /ok-to-test |
k8s-ci-robot
added
do-not-merge/hold
I understand this from external contributors (external to a core team). But it does get in the way for a team, e.g. if we work in the same team and you open a PR from your personal fork, I cannot add commits to it. |
|
FWIW ...
You can set your fork to allow others to collaborate in a branch, Kubernetes contributors do this all the time because we're not going to let the 1000s of contributors create upstream branches and we need to be pretty careful with the core repo especially... Upstream branches are "official" and people can construe them as reflecting the project, so aside from attempting to ensure things like CLA it's just better to do this externally. You can also do: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork to allow repo maintainers to push to your PR branch specifically, this is a checkbox when creating a PR. |
I have not suggested projects should open the branches to 1000s of contributors. I suggested the Headlamp project remove the branch protections (except for the one branch that is valuable in our project: main) so the (very small) core team uses it for contributing, as it already has its permissions set in the mechanisms that Kubernetes promotes. We also already have a fork as I said, but having a fork like that means that now I have to manage the same team in two places: the official repo + the fork. Besides not solving the problem we currently have which is releases failing because of this branch protection. I wish projects could decide to change the default policies when security is not a concern. Nonetheless, I will abide and will close this PR + open one that removes the protection for individual branches. Thanks. |
|
@BenTheElder , BTW this is the new one: |
Never said you did. My point was that we of course can't for Kubernetes/Kubernetes, and we've found that there are plenty of alternatives.
It's as much compliance (IE enforcing the CLA) as security. Our projects have to abide by the CLA and also policies like https://github.com/cncf/foundation/blob/40bdbe8c908df30ab948e195049b77a404c81a89/policies-guidance/allowed-third-party-license-policy.md Where possible enforcement is automated, given the 100s of repos we're hosting. |
|
No worries. The new PR should hopefully allow us to skip the problems for CI-created branches while keeping the protections for the rest. |
In Headlamp we only have one branch where preventing force push makes sense. That's the main one.
All the rest we would like to force push and even to delete them since lots of branches were carried over from when we moved the repo and they are WIP or already merged ones.
I am not sure if this config is the correct way. I did read the source code for the prow and seems like it should work, but let me know otherwise.