chore: eject repo policy compliance #665
Conversation
yanksyoon
requested review from
cbartz,
javierdelapuente and
yhaliaw
as code owners
cbartz
left a comment
cbartz
left a comment
There was a problem hiding this comment.
Thank you!
Some comments, mostly on the docs:
- Could we clarify the term "external contributor"? We have the special case that bot accounts like renovate with
push_allowanceare allowed to run on internal prs, although not being Collaborator,member or admin - I think LXD docs don't need to be updated, because the lxd-mode charm will still install repo policy using pip
Can you also please update the PR description and ask @erinecon for reviewing the docs?
There was a problem hiding this comment.
I think we have not touched the code for lxd (as it lives in a legacy branch), so the lxd-mode charm will still install repo policy using pip and install locally, no ?
Therefore I think it is not necessary to modify the lxd docs in this PR.
TICS Quality Gate❌ FailedThe following errors have occurred during analysis:❌ [ERROR 5333] Project database 'github-runner-operator' already is connected to a started TICSQServer process that has not registered a stop time. To avoid data corruption, analysis is aborted. Details of the other TICSQServer process: started at 2025-11-27 14:31:37.000 by user ubuntu. .github/workflows/tics.yaml / TICS / TICS GitHub Action |
erinecon
left a comment
erinecon
left a comment
There was a problem hiding this comment.
Thanks for updating the documentation! A few comments on my side
|
|
||
| - Only register the GitHub self-hosted runners to a trusted organization or repository so that only workflows from trusted users are able to run on the runners. | ||
| - For outside collaborators: Use the [`repo-policy-compliance` charm](https://charmhub.io/repo-policy-compliance) with [policy for outside collaborators](https://charmhub.io/github-runner/docs/how-to-comply-security#working-with-outside-collaborators) to ensure the code executed in runners are reviewed by a trusted user. | ||
| - For outside collaborators: Use the `allow-external-contributor` configuration option (set to `false`) to restrict workflow execution to users with COLLABORATOR, MEMBER, or OWNER status. This prevents unauthorized code execution from untrusted external contributors. |
There was a problem hiding this comment.
Seems like "untrusted" has made Vale unhappy, I recommend adding it to accept.txt
| 1. External contributors create pull requests as usual | ||
| 2. A repository maintainer with COLLABORATOR, MEMBER, or OWNER status reviews the code | ||
| 3. If the code is safe, the maintainer can: | ||
| - Approve and merge the pull request to another branch (workflows will run with the maintainer's permissions) |
There was a problem hiding this comment.
maintainer's is another word to add to accept.txt, unless you want to work around it:
| - Approve and merge the pull request to another branch (workflows will run with the maintainer's permissions) | |
| - Approve and merge the pull request to another branch (workflows will run with the permissions of the maintainer) |
| - `OWNER` - Repository or organization owners | ||
| - `MEMBER` - Organization members | ||
| - `COLLABORATOR` - Users with explicit collaborator access |
There was a problem hiding this comment.
| - `OWNER` - Repository or organization owners | |
| - `MEMBER` - Organization members | |
| - `COLLABORATOR` - Users with explicit collaborator access | |
| - OWNER - Repository or organization owners | |
| - MEMBER - Organization members | |
| - COLLABORATOR - Users with explicit collaborator access |
To be consistent with the rest of the documentation
|
|
||
| ### Disabling external contributor access | ||
|
|
||
| To prevent external contributors from triggering workflows: |
There was a problem hiding this comment.
| To prevent external contributors from triggering workflows: | |
| To prevent external contributors from triggering workflows, run: |
Alternate suggestion:
| To prevent external contributors from triggering workflows: | |
| Prevent external contributors from triggering workflows: |
| - `OWNER` - Repository or organization owners | ||
| - `MEMBER` - Organization members | ||
| - `COLLABORATOR` - Users with explicit collaborator access |
There was a problem hiding this comment.
| - `OWNER` - Repository or organization owners | |
| - `MEMBER` - Organization members | |
| - `COLLABORATOR` - Users with explicit collaborator access | |
| - OWNER - Repository or organization owners | |
| - MEMBER - Organization members | |
| - COLLABORATOR - Users with explicit collaborator access |
| - `MEMBER` - Organization members | ||
| - `COLLABORATOR` - Users with explicit collaborator access | ||
|
|
||
| ### Enabling external contributor access |
There was a problem hiding this comment.
| ### Enabling external contributor access | |
| ### Enable external contributor access |
| - `pull_request_review_comment` - Comments on pull request diffs from external contributors | ||
| - `issue_comment` - Comments on issues or pull requests from external contributors | ||
|
|
||
| ### Disabling external contributor access |
There was a problem hiding this comment.
| ### Disabling external contributor access | |
| ### Disable external contributor access |
| 1. Set `allow-external-contributor=false` | ||
| 2. Review repository collaborator permissions | ||
| 3. Check for any bypass rules in branch protection settings | ||
| 4. Audit recent workflow runs in the GitHub Actions tab |
There was a problem hiding this comment.
This doesn't seem like how-to material to me. A how-to guide should provide task-based instructions for accomplishing a goal, and this information seems more like explanation or reference material.
I recommend moving the ## Recommended security practices section into the Security document, and the ## Troubleshooting section into a standalone # How to troubleshoot type of document.
There was a problem hiding this comment.
Seems like this comment got messed up. To be totally clear, the material I'm referring to is the ## Recommended security practices and ## Troubleshooting sections (currently lines 43-92)
| ## 2025-12-01 | ||
|
|
||
| - Added timeouts to API calls (Openstack,GitHub,Repo policy compliance) to fix a hanging GitHub runner manager application. | ||
| - Added timeouts to API calls (Openstack,GitHub,Repo policy compliance) to fix a hanging GitHub runner manager application. |
There was a problem hiding this comment.
| - Added timeouts to API calls (Openstack,GitHub,Repo policy compliance) to fix a hanging GitHub runner manager application. | |
| - Added timeouts to API calls (OpenStack, GitHub, Repo policy compliance) to fix a hanging GitHub runner manager application. |
To make Vale happy
Applicable spec:
Overview
Rationale
Juju Events Changes
Module Changes
Library Changes
Checklist
urgent,trivial,complex).github-runner-manager/pyproject.toml.