Issue:
Experiencing frequent request for manual approvals on all our protected repository, even when no changes are made to the drone-file.
We recently implemented a validation and environment extension to our workflow. Basically, our validation extension validates a custom YAML file (not drone-file) without tempering with the drone-file used for pipeline deployment. Then uses its content to validate users/repository before each pipeline triggers. This only sends response to the server with an appropriate HTTP code and error message, if users are permitted or not. So, not expecting this to be causing the issue since no modification is done to the original signed drone-file.
The Environment extension on the other-hand issues couple of environment variables to the pipeline steps during each runs. I’m not expecting this to be causing the issue either, since the environment variables are provided to pipeline steps by the runners after each pipelines have be trigger and running. Clarify, if this isn’t the case.
Question:
Is there a way to implement both extensions and still ensure we do not have to manually approve each repository unless a user actually makes changes to the drone-file?
Is there a way to implement both extensions and still ensure we do not have to manually approve each repository unless a user actually makes changes to the drone-file?
Hi there, neither of these extensions have any impact on whether or not a pipeline requires approval. A pipeline only requires approval if the repository is protected and the signature does not match the content of the yaml. You can learn more about protecting your yaml files with signatures here. You can audit the code and unit tests here.
If the validation extension fails the pipeline immediately fails. It does not prompt for approval, it fails. You can audit the relevant code here.
The only possible reason for Drone requiring approval is because the signature does not match the yaml. This happens when a) you mark the repository as protected but forget to add the signature as show here or b) you modify the yaml and forget to update the signature or c) you add the signature but in the process you mutate the yaml thus changing and invalidating its signature (always use the CLI to add the signature).
Thanks for the quick response and clarifications on the process of drone approval. I thought as much that each extensions shouldn’t modify contents of signed configuration. I would have to retrace my code and changes to the extensions. I will keep you posted.