add callout for branch protection #1098
Conversation
s-santillan
changed the title
Hi @r2c-david! Can you let me know if the updates work for you?
|
| :::caution | ||
| For **GitHub** users: This method of adding a repository commits a GitHub Actions workflow file directly into your trunk or default branch, such as `main` or `develop`. **Branch protection** can prevent Semgrep from onboarding your repositories, whether in bulk or one-by-one, through this method. | ||
|
|
||
| If you encounter issues with adding repositories, such as being unable to commit the Semgrep workflow file, change your [branch protection](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) settings temporarily while you add repositories to Semgrep. |
There was a problem hiding this comment.
I don't think most customers will actually be willing/able to modify their branch protection settings. I'd also suggest that they introduce the workflow file through a PR and then merge it into the repo.
As the feature bakes - I'd also encourage linking somewhere in here to auto-scan as an alternative.
There was a problem hiding this comment.
I'd also suggest that they introduce the workflow file through a PR and then merge it into the repo.
Thanks for the reply. Just confirming that you're suggesting, IF the user CAN'T change their branch protection:
- The user has to do it manually (copy paste the yml file, make a PR).
- The user has to do this for every repo.
Is that correct?
There was a problem hiding this comment.
Yup that's exactly right.
Regarding the "do this for every repo" - it might be helpful to caveat if they are looking to deploy to many repos where this would be cumbersome - they might consider some of the approaches outlined by github here:
There was a problem hiding this comment.
we could also link to our required/reusable workflows KBs!
Thanks for improving Semgrep Docs 😀
Please ensure
Here is what it looks like rendered: