Skip to content

fix(ospo): drop bot bypass actor (org policy rejects it)#23

Merged
jung-thomas merged 1 commit into
mainfrom
ospo-bypass-fix-2026-06
Jun 1, 2026
Merged

fix(ospo): drop bot bypass actor (org policy rejects it)#23
jung-thomas merged 1 commit into
mainfrom
ospo-bypass-fix-2026-06

Conversation

@jung-thomas

@jung-thomas jung-thomas commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Why

While operationalising PR #22 (OSPO hardening), the `gh api PUT` to import the new ruleset was rejected:

Validation Failed (HTTP 422)
"Actor GitHub Actions integration must be part of the ruleset source or owner organization"

The SAP-samples org doesn't whitelist Integration 15368 (`github-actions[bot]`) as a permitted bypass actor at the repo level. The PR #22 ruleset JSON committed to the repo is therefore unimportable as-is.

What this PR does

  1. .github/rulesets/main-protection.json — drops the bypass actor entirely (`bypass_actors: []`). No actor — admin or bot — can bypass the rules.
  2. CLAUDE.md — OSPO compliance paragraph updated to reflect human-in-the-loop for automated PRs.

What this PR does NOT change

The `news-sync` workflow itself is unchanged. It still:

  • Opens a PR via `gh pr create` (works fine — opening a PR doesn't require bypass)
  • Calls `gh pr merge --auto --squash` (works fine — `--auto` arms auto-merge, then waits for the required approving review and the `test` check to land before firing)

The net behaviour after this lands + the ruleset is imported: news-sync opens a PR every 12h with a content update; a maintainer reviews and approves; the merge fires automatically.

OSPO posture

Deployment ordering

  1. Merge this PR.
  2. `gh api -X PUT repos/SAP-samples/sap-devs-cli/rulesets/16758335 --input .github/rulesets/main-protection.json` to import the corrected ruleset. Will succeed this time (no rejected bypass actor).
  3. Verify by trying to push directly to main — must be rejected.
  4. Trigger `news-sync.yml` once and confirm it opens a PR (which then sits awaiting human approval).

Rollback

`git revert` this PR's merge commit; the previous bypass-with-bot version is one revert away.

@jung-thomas
fix(ospo): drop bot bypass actor (org policy rejects it)
c8ab805 
The original OSPO hardening PR (#22) added a narrow PR-merge bypass for
Integration 15368 (github-actions[bot]) so news-sync's PRs could self-merge.
When attempting to import the ruleset via 'gh api PUT', the SAP-samples
org rejected it:

  Validation Failed (HTTP 422)
  'Actor GitHub Actions integration must be part of the ruleset source
   or owner organization'

The org doesn't whitelist Integration 15368 as a permitted bypass
actor at the repo level. Rather than file an OSPO ticket and wait,
this commit drops the bypass entirely. Net effect:

- No actor (admin or bot) can bypass the main ruleset
- news-sync still opens a PR and arms 'gh pr merge --auto', but a
  maintainer must approve it before the auto-merge fires
- OSPO Hardening Control 5 still passes (no bypass = stricter posture)

CLAUDE.md updated to reflect 'human-in-the-loop' for automated PRs.

This file change must merge before the corrected ruleset is PUT to
the server (which is the operational step that activates the new
posture).
@jung-thomas jung-thomas merged commit 36f44ba into main Jun 1, 2026
3 checks passed
@jung-thomas jung-thomas deleted the ospo-bypass-fix-2026-06 branch June 1, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jung-thomas