I'vd noticed that on at least some (maybe all?) of our repos PRs can
be and are being merged without any approving code reviews. We have
enough active developers that this shouldn't be necessary. This feels
increasingly important given the active state sponsored supply chain
attacks on many open source projects.
We could add something like this to .asf.yaml to guarantee code reviews:
protected_branches:
main:
required_status_checks:
# strict means "Require branches to be up to date before merging".
strict: true
required_pull_request_reviews:
require_last_push_approval: true
required_approving_review_count: 1
Contrary to what has been asserted in the past, this is not a veto. It
does not require authors to get approval from all reviewers, or
prevent merging PRs where one or more reviewers have requested
changes. It simply requires one other person to approve the PR. That's
what we do anyway 90%+ of the time and should be a low enough bar to
clear for anything important.
--
Elliotte Rusty Harold
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
