From b836065b0bc8bb59533d78a7ea60b550071e9748 Mon Sep 17 00:00:00 2001 From: Mihai Maruseac Date: Sat, 20 Apr 2024 16:50:28 -0700 Subject: [PATCH] Discuss when to run actions Signed-off-by: Mihai Maruseac --- guides/github.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/guides/github.md b/guides/github.md index fc2c875d..cfb6d812 100644 --- a/guides/github.md +++ b/guides/github.md @@ -7,6 +7,15 @@ At least for critical packages, administrators should enable branch protection. Require CI to pass before merging to the main branch. Allow only repository owners to merge PRs. +> [!WARNING] +> It is recommended to run workflows only after the PR has been reviewed. The +> "Require approval for all outside collaborators" setting is the recommended +> one. However, this can cause friction in repositories with a high number of +> PRs but small number of contributors. In this case, if all contributors are +> trusted, "Require approval for first-time contributors" is a valid option, +> but dedicate more efforts to separate sensitive steps into workflows that +> can only run after approval. + It is ideal to require PR reviews before merging. For security critical packages, having at least two reviewers is ideal, as this alleviates the risk of sock-puppet accounts.