[jdt-dev] Enabling Otterdog for your project at GitHub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jdt-dev] Enabling Otterdog for your project at GitHub

From: Thomas Neidhart <thomas.neidhart@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 31 May 2023 13:11:51 +0200
Delivered-to: jdt-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jdt-dev/>
List-help: <mailto:jdt-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jdt-dev>, <mailto:jdt-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jdt-dev>, <mailto:jdt-dev-request@eclipse.org?subject=unsubscribe>

Dear all,

the Eclipse Security Team is focused on helping Eclipse projects to secure their development processes and infrastructure. For this purpose we have developed a tool called Otterdog (https://gitlab.eclipse.org/eclipsefdn/security/otterdog) which is able to configure various settings of a GitHub organization based on a configuration that is provided and hosted in a GitHub repository itself.

The tool is able to import the current status quo and allows to gradually secure organization and repo setting by editing the configuration via a standard review process:

project leads have access to the repository hosting the configuration
PL can create PRs with suggested changes to the configuration, a workflow will automatically add comments to the PR highlighting the changes that will be applied by the tool
PRs get approved and merged by the security team
security team will finally apply the changes to the GitHub organization via the otterdog command line tool (this step is intended to be automated in the near future)

The tool is already in use by the Adoptium project and based on the positive feedback that we received so far we would like to roll it out to more organizations.

We see the following benefits by using this tool:

allows project teams to see the current configuration and suggest changes thus goes into the direction of a self-service process to administrate GitHub organizations
allows the Eclipse Security Team to monitor security related settings for our organizations / projects at scale and suggest changes to further improve the overall security of our development processes
reducing load on the HelpDesk

To get a glimpse of the tool and its capabilities, please find below a link to a presentation of the Head of Security at the EF, Mikael Barbero:

https://docs.google.com/presentation/d/1lLqbhDQf9s5U2A2TkcoFYA39qtODcSot2308vnKbkbA/edit?usp=sharing

Due to a mistake from our side (I mixed up eclipse-pdt with eclipse-jdt which is currently in process of migrating to its own GitHub organization), otterdog has already been setup for your organization eclipse-jdt at GitHub.

For this purpose, an additional repository .eclipsefdn-private has been created to which all committers have access. It contains the current configuration of GitHub resources as code, and you can create PRs on this repo to request changes to the configuration.

These PRs get approved by EF staff and will subsequently be applied to GitHub. I want to apologize for making changes in your organization without prior notice. Please let me know if you are willing to use otterdog or we remove the created repository again.

If you are willing to use otterdog, I would be happy to give a quick demonstration and answer any questions you may have.

Best regards,

Thomas

Prev by Date: [jdt-dev] 4.28 RC freeze time
Next by Date: [jdt-dev] Opportunity for funded work - Outstanding JDT Pull Requests (PRs) need reviewing
Previous by thread: [jdt-dev] 4.28 RC freeze time
Next by thread: [jdt-dev] Opportunity for funded work - Outstanding JDT Pull Requests (PRs) need reviewing
Index(es):
- Date
- Thread

Breadcrumbs