Makes a lot of sense to me, +1
Romain Manni-Bucau @rmannibucau <https://x.com/rmannibucau> | .NET Blog <https://dotnetbirdie.github.io/> | Blog <https://rmannibucau.github.io/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/en-us/product/java-ee-8-high-performance-9781788473064> Javaccino founder (Java/.NET service - contact via linkedin) Le ven. 15 mai 2026, 12:47, Elliotte Rusty Harold <[email protected]> a écrit : > I'vd noticed that on at least some (maybe all?) of our repos PRs can > be and are being merged without any approving code reviews. We have > enough active developers that this shouldn't be necessary. This feels > increasingly important given the active state sponsored supply chain > attacks on many open source projects. > > We could add something like this to .asf.yaml to guarantee code reviews: > > protected_branches: > main: > required_status_checks: > # strict means "Require branches to be up to date before merging". > strict: true > required_pull_request_reviews: > require_last_push_approval: true > required_approving_review_count: 1 > > Contrary to what has been asserted in the past, this is not a veto. It > does not require authors to get approval from all reviewers, or > prevent merging PRs where one or more reviewers have requested > changes. It simply requires one other person to approve the PR. That's > what we do anyway 90%+ of the time and should be a low enough bar to > clear for anything important. > > -- > Elliotte Rusty Harold > [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
