I wonder if someone has looked into the following use-case:
We want to digitally "sign" all commits created on e.g. the master branch based on a number of criteria. These could be approved by at least 1 reviewer, task list in PR completed etc.
I know that these "rules" can be applied as project/repo configuration but we do have lots of repo admins that potentially can disable these checks and circumvent them. This is all captured in the audit log but it is usually too late if the commit has already hit the production system.
My idea is therefore to introduce an event listener that triggers on PR merged and in theses cases run the list of criteria on that PR and merge commit and if it fulfills all of them digitally sign the merge commit on the master branch. With this in place we can instruct our pipelines to only deploy changes that has passed these checks.
Has anyone implemented something similar? Or is there a better way to approach this (without revoking the repo admin permissions from people)?
We do have the Scriptrunner for Bitbucket so any ideas or pointers implemented with Groovy are highly appreciated.
Regarding your question around using ScriptRunner for Bitbucket for signed commits, would the existing built-in Pre Hook of Enforcing Trusted Commit Authors address your requirements?
Also, regarding repo admins being able to disable these checks, the Enforce Trusted Commit Authors Pre Hook can be set up in the global admin area of Bitbucket, which I assume your repo admins do not have access to. Thus preventing them from disabling the hook.
Please let me know if this helps? Or you require further assistance?
Product Manager, ScriptRunner for Bitbucket
No this is not what I am looking for.
I want to be able to sign a commit automatically based on a number of criteria.
The criteria can be (but not limited to):
The reason we see this need is that even if we enforce e.g. number of approvers to 1 it is possible for a repo admin to temporarily disable this and merge the PR without approvals and then re-enable the check.
This is an offending usage I know, but we need to be able to proof that this has not happened to code in our production systems.
The idea here is to create an event listener that trigger on new commits and based on the "conditions" above signs the commit if all are true.
I guess it is possible to create a scripted listener doing this but I am a bit concerned about the performance here. We are talking about 4-5000 commits per day in our instance.
Any comments about this?
Hi @Svante Gustafsson ,
Please can I first point out that in order to prevent Repo admins from disabling your Require a number of approvals Merge Check, you can configure the Merge Check at the global admin level and have it configured to apply to repositories.
Repo admins would then not be able to disable the Merge Check.
Also, we now have better auditing for ScriptRunner for Bitbucket to help keep check of configuration changes: https://scriptrunner.adaptavist.com/latest/bitbucket/audit-logging.html
Finally, if you still require a custom solution here are a couple of pointers.
Here is an example Post Hook that records push traceability, that might be helpful for your needs and perhaps could be adapted? - https://scriptrunner.adaptavist.com/latest/bitbucket/PostReceiveHooks.html#_push_traceability
From your requirements it looks like you will need a custom Event Handler however, as it seems you already need the PR to have been merged?
Product Manager for Bitbucket
Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster ! While we’re all excited about the new improvements to Bitbucket ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events