Created
September 14, 2022 23:09
-
-
Save jacobian/9f70e108b5672bea6f16cc0e82ae7e4f to your computer and use it in GitHub Desktop.
Revisions
-
jacobian created this gist
Sep 14, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,111 @@ # Robots policy for github projects This is a sketch of a proposal for a "robots.txt for github" -- a policy that defines what actions automated tooling can take against a given repository. ## Identification Bots self-identify, and use `project/repo`-style naming. So code that lives at `https://github.com/jacobian/coolbot` identifies as `jacobian/coolbot`. Forks should generally use the upstream identifier until/unless they become different enough to warrent new names. This is a matter of judgement. ## Policy file location: `.github/robots.yml` Policies live in `.github/robots.yml`. Well-behaved robots should consult this file before taking action. ## Policy file contents Somewhat inspired by `robots.txt`, but in YAML to troll security researchers. I have no spec yet so here are examples: Robots may not interact with this repository: ```yaml deny: * ``` Go hog wild: ```yaml allow: * ``` Nobody is welcome except `jacobian/coolbot`: ```yaml allow: - jacobian/coolbot ``` That's the same as: ```yaml deny: * allow: - jacobian/coolbot ``` That is, an `allow` without a `deny` implies `deny: *`. The same is true of a deny list. This allows any bot, _except_ `jacobian/coolbot`: ```yaml deny: - jacobian/bot1 ``` and that's the same as: ```yaml allow: * deny: - jacobian/coolbot ``` If there's both an `allow` and a `deny` list, an implicit `deny: *` should also be inferred. So given: ```yaml allow: - jacobian/coolbot deny: - jacobian/otherbot ``` `jacobian/otherbot` clearly should stay away, but so should `jacobian/bot3` and all other bots. The above should be treated as: ```yaml allow: - jacobian/coolbot deny: * ``` ### Organizational policies Bots can also be allowed or denied by organization. This policy welcomes bots from the Python Packaging Authority: ```yaml allow: - pypa/* ``` This policy welcome most bots, but none made by me: ```yaml allow: * deny: - jacobian/* ``` ### Action policies Finally, policies may allow or deny specific actions. This policy allows `jacobian/coolbot` any action, and allows PyPA bots to open issues (but only open issues): ```yaml allow: - jacobian/coolbot - pypa/*@issues ``` Valid actions are: - `issues` - `pull_requests` TBD: more granular permissions e.g. "open issue", "comment on issue", etc?