Publish the eng-pipes repo

The [`eng-pipes` repo](https://github.com/getsentry/eng-pipes) is one of two that OSPO engineers spend the most time in (the other is [`self-hosted`](https://github.com/getsentry/self-hosted)). It's private only by historical accident, it really should be public. I want this especially because it will make hiring easier, we can link people to the repo and the best candidates can engage with us there as part of their application.

- [x] Switch to Apache license (no reason for it to be BSL, it's not a core component of Sentry-the-product)
    - https://github.com/getsentry/eng-pipes/pull/414
- [x] Go through [security review🔒](https://getsentry.atlassian.net/browse/SECURITY-1224).
- [x] Resolve [critical and high dependabot vulns](https://github.com/getsentry/eng-pipes/security/dependabot).
- [x] Flip the bit.

## Security Review

- [x] Repo has a suitable license.
- [x] Dependabot is configured, if applicable.
    - [x] Review current dependabot alerts and resolve all critical or high severity findings.
- [x] Code scanning (CodeQL) is enabled, if applicable.
    - CodeQL is typically not available (for free) to private repos, so enabling this may not be possible until the repo is public. Be prepared to submit a PR as soon as the repo is made public.
- [x] Secret scanning is enabled. (requires public repo or GHAS on private repos)
- [x] Review for any leaked secrets.
    - [x] Run [gitleaks](https://github.com/zricethezav/gitleaks) and ensure there are no detected secrets.
    - [x] Review any screenshots for potential captures of API tokens, session cookies, etc.
    - [x] git log -p if the repo is small and manually scan for anything sensitive.
- [x] Review repo settings and environment variables.
    - [x] Do all secrets exist under “Secrets” ?
- [x] Review any Github Actions.
    - [x] Ensure there is no accidental printing of a secret value.
    - [x] Ensure there is no basic encoding of a secret value that is printed (e.g. base64).
- [x] Review configured webhooks.
    - [x] Are all URLs expected destinations?
    - [x] Are they documented somewhere, either in Notion or the repo, and their purpose understood?
    - [x] Do they use sufficiently strong secrets for signing.
- [x] Does the main branch have a protection rule in place requiring an approved PR to merge?
- [x] Review collaborators on the repo.
    - [x] Are access levels properly scoped (e.g. least privilege)?
    - [x] Are all collaborators Sentry employees?


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Publish the eng-pipes repo #112

Security Review

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Publish the eng-pipes repo #112

Description

Security Review

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions