TPA-RFC-76: note that we can allow a deploy key to push (team#41977)

Found in team#41977

TPA-RFC-76: note that we can allow a deploy key to push (team#41977)
aaa7537c · anarcat · 8e78f081 · aaa7537c
Verified Commit aaa7537c authored 2 months ago by anarcat
--- a/policy/tpa-rfc-76-puppet-merge-request-workflow.md
+++ b/policy/tpa-rfc-76-puppet-merge-request-workflow.md
@@ -44,8 +44,8 @@ repository the GitLab server.
 3. Merge policy: "fast-forward only", to force developers to merge
   locally and avoid accidentally trusting GitLab

-4. Branch rules: disallow anyone to merge to the default branch, allow
-   maintainers to "push and merge"
+4. Branch rules: disallow anyone to "merge" or "push and merge" to the
+   default branch, except a deploy key for the mirror

 ## Rationale

@@ -65,10 +65,10 @@ Each setting above brings us the following properties:
   GitLab create a merge commit which then extends our attack surface
   to GitLab

-4. Same as (3), but more explicit. That way even if someone fancies
-   turning off the "fast-forward" flag by mistake, they will still
-   have to go through the complex branch rules settings and perhaps
-   think twice about whether or not this is a good idea.
+4. Same as (3), another safeguard. This covers the case where someone
+   mistakenly pushes to the main branch. In this case, they are simply
+   not allowed to push at all. The mirror is updated with a deploy key
+   that lives on the Puppet server.

 # Alternatives