From c8ab805f2ca37afc03a2ac8f0976024f91aa9acd Mon Sep 17 00:00:00 2001 From: Thomas Jung <12159356+jung-thomas@users.noreply.github.com> Date: Mon, 1 Jun 2026 12:24:38 -0400 Subject: [PATCH] fix(ospo): drop bot bypass actor (org policy rejects it) The original OSPO hardening PR (#22) added a narrow PR-merge bypass for Integration 15368 (github-actions[bot]) so news-sync's PRs could self-merge. When attempting to import the ruleset via 'gh api PUT', the SAP-samples org rejected it: Validation Failed (HTTP 422) 'Actor GitHub Actions integration must be part of the ruleset source or owner organization' The org doesn't whitelist Integration 15368 as a permitted bypass actor at the repo level. Rather than file an OSPO ticket and wait, this commit drops the bypass entirely. Net effect: - No actor (admin or bot) can bypass the main ruleset - news-sync still opens a PR and arms 'gh pr merge --auto', but a maintainer must approve it before the auto-merge fires - OSPO Hardening Control 5 still passes (no bypass = stricter posture) CLAUDE.md updated to reflect 'human-in-the-loop' for automated PRs. This file change must merge before the corrected ruleset is PUT to the server (which is the operational step that activates the new posture). --- .github/rulesets/main-protection.json | 4 +--- CLAUDE.md | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/rulesets/main-protection.json b/.github/rulesets/main-protection.json index 8f94e45..d3a00a2 100644 --- a/.github/rulesets/main-protection.json +++ b/.github/rulesets/main-protection.json @@ -31,7 +31,5 @@ } } ], - "bypass_actors": [ - {"actor_id": 15368, "actor_type": "Integration", "bypass_mode": "pull_request"} - ] + "bypass_actors": [] } diff --git a/CLAUDE.md b/CLAUDE.md index aeab330..e57a820 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -230,7 +230,7 @@ gh release edit vX.Y.Z --draft=false --latest --notes "release notes here" 3. `sign-windows.yml` (workflow_run on Tray success, env: `signing`) → **pauses for required-reviewer approval** (OSPO gate), then Authenticode-signs Windows `.exe` binaries via SignPath.io and publishes the release (best-effort) 4. Manual: `gh release edit --draft=false` only needed if signing is skipped — otherwise the signing job publishes automatically after approval -**OSPO compliance:** `main` is protected by ruleset (`main-protection`: requires PR + CI `test` check, blocks force-push and deletion). Admins **cannot** bypass — every change to `main` goes through a PR with one approving review and a passing `test` check. The `github-actions[bot]` integration has a narrow `pull_request`-mode bypass so automated PRs (notably `news-sync`) can self-merge once their `test` check passes; it cannot push directly to `main`. Workflows that touch secrets or publish artifacts run in named environments: `release`, `signing` (required reviewer = repo admin), `news-sync`. SignPath secrets and `YOUTUBE_API_KEY` should be scoped to their respective environments rather than the org/repo level. Ruleset spec: [.github/rulesets/main-protection.json](.github/rulesets/main-protection.json). +**OSPO compliance:** `main` is protected by ruleset (`main-protection`: requires PR + CI `test` check, blocks force-push and deletion). **No actor — including admins and `github-actions[bot]` — can bypass.** Every change to `main` goes through a PR with one approving review and a passing `test` check. Automated PRs (notably `news-sync`) open the PR and arm `gh pr merge --auto`; a maintainer must approve them, and the merge then fires automatically. (The SAP-samples org doesn't allow Integration `github-actions[bot]` as a bypass actor at the repo level, so the bot cannot self-merge — that's why a human approval is in the loop.) Workflows that touch secrets or publish artifacts run in named environments: `release`, `signing` (required reviewer = repo admin), `news-sync`. SignPath secrets and `YOUTUBE_API_KEY` should be scoped to their respective environments rather than the org/repo level. Ruleset spec: [.github/rulesets/main-protection.json](.github/rulesets/main-protection.json). **Artifacts per release:** CLI binaries (linux/amd64, linux/arm64, darwin/amd64, darwin/arm64, windows/amd64) + tray binaries (linux/amd64, darwin/arm64, windows/amd64) + checksums + tray-checksums + Scoop manifest + Homebrew cask.