QA (public)

Motivation¶

I learned another idea (from discussion with egotthold, jdsn, eroca) how to deploy products in a trusted way from git but as quickly as possible: Listen to GitHub events as documented on https://docs.github.com/de/rest/activity/events?apiVersion=2022-11-28, x-poll long running rest request, sync automatically if SUSE employee merged on GitHub, maybe with approved signing key, then sync automatically to internal repo, otherwise ask for approval

Acceptance criteria¶

• AC1: We know how "last signed commit signed by trusted SUSE developers" would help us regarding CC-compliant deployments
• AC2: We know how to use such approach for our products

Suggestion¶

• Research how https://github.com/openSUSE/github-pr is solving that and use it or learn from it for our own approach
• Come up with proof-of-concept for "Listen to GitHub events as documented on https://docs.github.com/de/rest/activity/events?apiVersion=2022-11-28, x-poll long running rest request, sync automatically if SUSE employee merged on GitHub, maybe with approved signing key, then sync automatically to internal repo, otherwise ask for approval", maybe for https://github.com/openSUSE/qem-bot/, see https://gitlab.suse.de/qa-maintenance/bot-ng/ and #168427