Fix celo-compliance Github Action

[arthurgousset]

Context in this Slack thread.

Error in Github Action is:

remote: error: GH006: Protected branch update failed for refs/heads/main.       
remote: error: Changes must be made through a pull request.

Source: Github action

Github Action seems to fail because direct git push to main branch is forbidden according to branch protection policies.
A GitHub owner or repo admin should be able to update that config

Tasks

Beta Give feedback

1. Ask for elevated permission to temporarily update branch protection policy
2. Update OFAC list (incl. repo update and NPM release)
3. Check the Github Action updates the list correctly (follow up todo)
4. Unpublish mistakenly released NPM package version (for educational reasons)
5. Re-publish package as @celo/compliance instead of compliance-sdk #11
   4 of 4
   +0
   
6. Add alerting if Github Action fails (follow up todo) - Slack
7. Improve CI security - so that workflow uses a PR and doesn't push to main directly
8. Let Security team know in (OFAC channel) that branch protection can be enabled again

[arthurgousset]

Looks like this stopped working due to a change in branch permissions between Thu, Jan 11 and Fri, Jan 12.

[arthurgousset]

Added a todo above

Check the Github Action updates the list correctly (follow up todo)

It looks like the NPM release flow wasn't triggered in the past 3 months. Check this matches with expected updates shared in OFAC feed.

[lvpeschke]

The branch protection, which now requires a PR + approval before committing to the main branch, is probably my edit. Last week, I changed security settings across a few repositories working off the premise that additional restrictions, if painful, would be raised.

Ideally, we would keep branch protection going forward, since ensuring all changes to default branches go through PRs adds layers of security (most notably: org-wide workflows such as Socket). This could still get automatically merged, provided all checks pass.

[arthurgousset]

Understood, thanks for the heads-up @lvpeschke.

We'll do two things here:

• update the workflow to use PR + auto-approval, so the main branch protection can stay on
• double-check we get notified when the GitHub Action fails

In this case, we coincidentally checked the GitHub Actions on the day the workflow broke, because Subha manually notified us of an OFAC update.

[arthurgousset]

Idea:

a slack message that goes to the channel with addreses that were added or if it fails that

[arthurgousset]

Idea:

• even update if succeeded but not address was added

[arthurgousset]

Note: @shazarre and I will be pairing on this. Leszek is interested in learning more about Github Actions too

[arthurgousset]

From Slack:

The compliance workflows are broken again, because branch protection rules were enabled.
Just noting this here, so there is a log that this didn't work for the last 2 weeks.

• Short-term solution: disable branch protection (like we agreed last time)
• Long-term solution: implement PR-based work-around so pushing to main is not required (like we agreed last time)

[arthurgousset]

Unassigning myself because this is something @shazarre has taken on (based on Slack convo).