Bulldozer can be configured using required_statuses to validate that a PR has the specified status set before merging, ostensibly this may be paired with policy-bot to provide assurance that a PR can be merged; however any collaborator to a repository can set a status on a PR, essentially impersonating policy-bot, and bulldozer will happily merge the PR.
I'd like to propose, and if agreed, implement an enhancement to required_statuses where it continues to behave as a list of statuses set by any user or a list of statuses set by a set of users.
# keeps working as is
merge:
required_statuses:
- "policy-bot: main"
# validates the user that set the status
merge:
required_statuses:
"policy-bot: main":
- policy-bot[bot]
Policy-bot could be changed to use checks, which can only be set by GitHub Apps, in place of statuses; however this would be a significant change and has already being attempted and abandoned once before palantir/policy-bot#46.
Bulldozer can be configured using
required_statusesto validate that a PR has the specified status set before merging, ostensibly this may be paired with policy-bot to provide assurance that a PR can be merged; however any collaborator to a repository can set a status on a PR, essentially impersonating policy-bot, and bulldozer will happily merge the PR.I'd like to propose, and if agreed, implement an enhancement to
required_statuseswhere it continues to behave as a list of statuses set by any user or a list of statuses set by a set of users.Policy-bot could be changed to use checks, which can only be set by GitHub Apps, in place of statuses; however this would be a significant change and has already being attempted and abandoned once before palantir/policy-bot#46.