Skip to content

Support validating approvers before applying #2228

New issue
New issue
Open
Open
Support validating approvers before applying#2228
Labels
enhancementNew feature or requestsecurity
@suzuki-shunsuke

Description

@suzuki-shunsuke
suzuki-shunsuke
opened on Jan 10, 2025

Feature Overview

This issue proposes the feature to validate approvers before running terraform apply.
If no one other than pr's commit authors doesn't approve the pr, tfaction fails.

Why is the feature needed?

This feature needs to follow the policy All changes must be reviewed.
Even if we configure branch protection rules and branch rule set properly, people can violate this policy:

  • People can add commits to prs created by bots (GitHub Apps) and approve themselves
    • follow up prs
    • Renovate
  • People can add commits to prs created by others and approve themselves
    • Malicious people can abuse stale prs

Example Code

tfaction-root.yaml

validate_approvers: true

Note

No response

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecurity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions