Security policy enforcement¶
How cuere's repository security settings are enforced and kept from drifting — and why the project uses settings-as-code rather than the OpenSSF Allstar policy bot.
The model: settings-as-code as the single source of truth¶
cuere's repository security configuration is declared in
.github/settings.yml
and applied by the Probot Settings app.
The file is version-controlled and changes only through a reviewed pull request,
so branch protection, merge rules, and the security-and-analysis features are
auditable in git history rather than clicked into the GitHub UI.
What settings.yml enforces on main:
- Pull-request review required — one approval, code-owner review, stale-review dismissal, and last-push approval.
- A fixed list of required status checks (tests, lint, the three type checkers, CodeQL, dependency audit, OSV scan, secret scan, dependency-review, and the GitHub Actions audit).
- Signed commits required; force-push and branch deletion forbidden; required conversation resolution.
- Repository-level secret scanning with push protection, and Dependabot security updates.
This sits inside a three-layer model:
| Layer | Tool | Role |
|---|---|---|
| Assess | OpenSSF Scorecard | Weekly and on-push scoring of the repo's posture, including a Branch-Protection check that surfaces drift |
| Enforce | Probot Settings (settings.yml) |
Declarative branch protection / repo settings, reviewed in git |
| Gate | Required status checks | Blocks merges until the quality and security CI passes |
Allstar: evaluated, not adopted¶
OpenSSF Allstar is a GitHub App that continuously enforces security policies (branch protection, binary artifacts, dangerous workflows, outside collaborators, …) and files issues or auto-fixes violations — the enforcement complement to Scorecard's assessment. cuere evaluated it (issue #40) and chose not to adopt it:
- Allstar is built for GitHub organizations; cuere is a personal-account
repository. Its install flow targets an organization, its configuration
lives in an org-level
.allstarrepository, and its opt-in / opt-out strategies are org-scoped. There is no documented support for a personal user account. - Most of its policies don't apply to a single personal repo. Outside Collaborators and Repository Administrators are organization concepts with no analog here. Of Allstar's policies, only Branch Protection is meaningful for cuere.
- That one policy is already covered — and better.
settings.ymlenforces branch protection declaratively, in version control, and covers more than Allstar's branch-protection policy (required checks, signed commits, conversation resolution, review dismissal). Running Allstar's branch-protection fix action on top would have two controllers reconciling the same settings against different definitions — they would fight.
In short, the gap Allstar fills — continuously correcting security-setting drift across many repositories in an organization — does not exist for a single personal-account repository that already declares its settings as code and has Scorecard watching for drift. This is a fit decision, not a judgement on Allstar, which is actively maintained.
If cuere ever moves to a GitHub organization
Should the project grow into a multi-repository GitHub organization, this
decision is worth revisiting — Allstar's value (uniform, self-healing policy
across many repos) appears precisely at that scale. The reconciliation with
settings.yml would then need deciding (scope Allstar to policies
settings.yml does not manage, or hand branch protection to one of them) so
the two do not fight.