Menu
I work in a regulated environment where software changes need specific sign-offs by specific people or roles. Currently this is using git for version control, and tracking approvals outside of git.
I would like to see if there is a way to do approvals in git. If there is a solution which is github-only (based on github forking and pull requests from forks, or github code reviews etc) that would be interesting as well.
The specific elements needed are:
Who approved something should be easy to find out (git log) and provable, in a way equivalent to a Docusign or electronic signature. Signing with a code signing key for example would work.
Each piece of code may need to be approved by more than one person (there could be a per-project list, or on a case-by-case basis)
It is very desirable to be able to approve a larger changeset (pull request, branch merge etc) at once rather than just a single commit.
It is desirable but not essential to be able to prevent some actions (merge to master / make release tag etc) unless the right approvals are in place.
I know that git has a signed-off-by feature, can this be used for what I described?
EDIT Thanks for all the answers... From the direction of some of them, it looks like I should clarify a bit. My goal is mainly to easily collect info about who approved what when (and also more detailed info from code reviews), rather than to automatically enforce policies (although that is nice too). In this case all contributors are within the same organization and can be assumed to be trusted and to (in general) do the right things. It's just that the process now is manual, very slow and somewhat error prone. To give you an idea: for every pull request, we create a couple of MS Word docs and put them in Docusign for signatures...
735
Above the changed code, click Review changes. Type a comment summarizing your feedback on the proposed changes. Select Approve to approve merging the changes proposed in the pull request. Click Submit review.
Approve or reject: To approve the job, click Approve and deploy. Once a job is approved (and any other environment protection rules have passed), the job will proceed. At this point, the job can access any secrets stored in the environment.
PullApprove is a service that allows pull requests to be blocked until they are reviewed and approved by the relevant people. It only works for Github repos, but it seems to satisfy all your requirements. PullApprove approvals are given by leaving a comment in the comment thread corresponding to the pull request, so it will leave a record there.
143
You can use GitHub protected branches to achieve part of this:
A protected branch:
- Can't have changes merged into it until required status checks pass
- Can't have changes merged into it until required reviews are approved
Configure them in the repo’s settings under branches.
But there’s no direct facility for signing commits in GitHub, and nothing to enforce that commits are signed, unfortunately.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
