Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Automatically sign a merge commit based on criteria

Hey,

I wonder if someone has looked into the following use-case:

We want to digitally "sign" all commits created on e.g. the master branch based on a number of criteria. These could be approved by at least 1 reviewer, task list in PR completed etc.

I know that these "rules" can be applied as project/repo configuration but we do have lots of repo admins that potentially can disable these checks and circumvent them. This is all captured in the audit log but it is usually too late if the commit has already hit the production system.

My idea is therefore to introduce an event listener that triggers on PR merged and in theses cases run the list of criteria on that PR and merge commit and if it fulfills all of them digitally sign the merge commit on the master branch. With this in place we can instruct our pipelines to only deploy changes that has passed these checks.

Has anyone implemented something similar? Or is there a better way to approach this (without revoking the repo admin permissions from people)?

We do have the Scriptrunner for Bitbucket so any ideas or pointers implemented with Groovy are highly appreciated.

Cheers!

1 answer

Hi @Svante Gustafsson 

Regarding your question around using ScriptRunner for Bitbucket for signed commits, would the existing built-in Pre Hook of Enforcing Trusted Commit Authors address your requirements?

https://scriptrunner.adaptavist.com/latest/bitbucket/PreReceiveHooks.html#_enforce_trusted_commit_authors

Also, regarding repo admins being able to disable these checks, the Enforce Trusted Commit Authors Pre Hook can be set up in the global admin area of Bitbucket, which I assume your repo admins do not have access to. Thus preventing them from disabling the hook.

Please let me know if this helps? Or you require further assistance?

Kind regards,

Robert Giddings

Product Manager, ScriptRunner for Bitbucket

Hey Robert,

No this is not what I am looking for. 

I want to be able to sign a commit automatically based on a number of criteria.

The criteria can be (but not limited to):

  • Only commits created on a certain branch, e.g. the master branch
  • Only merge commits, i.e. require a PR
  • Commit must have been approved by at least one reviewer

The reason we see this need is that even if we enforce e.g. number of approvers to 1 it is possible for a repo admin to temporarily disable this and merge the PR without approvals and then re-enable the check.

This is an offending usage I know, but we need to be able to proof that this has not happened to code in our production systems.

The idea here is to create an event listener that trigger on new commits and based on the "conditions" above signs the commit if all are true.

I guess it is possible to create a scripted listener doing this but I am a bit concerned about the performance here. We are talking about 4-5000 commits per day in our instance.

Any comments about this?

Cheers,

// Svante 

Hi @Svante Gustafsson ,

Please can I first point out that in order to prevent Repo admins from disabling your Require a number of approvals Merge Check, you can configure the Merge Check at the global admin level and have it configured to apply to repositories.

Repo admins would then not be able to disable the Merge Check.

Also, we now have better auditing for ScriptRunner for Bitbucket to help keep check of configuration changes: https://scriptrunner.adaptavist.com/latest/bitbucket/audit-logging.html

Finally, if you still require a custom solution here are a couple of pointers.

Here is an example Post Hook that records push traceability, that might be helpful for your needs and perhaps could be adapted? - https://scriptrunner.adaptavist.com/latest/bitbucket/PostReceiveHooks.html#_push_traceability

From your requirements it looks like you will need a custom Event Handler however, as it seems you already need the PR to have been merged?

https://scriptrunner.adaptavist.com/latest/bitbucket/StashEventHandlers.html#_working_with_custom_event_handlers

Kind regards,

Robert Giddings,

Product Manager for Bitbucket

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Powering DevOps with Bitbucket Server & Data Center

Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster   ! While we’re all excited about the new improvements to Bitbucket ...

1,892 views 0 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you