alkonaut

> How often have you or a coworker pushed an empty commit to "re-trigger" the CI?

Zero, because unless my dog configured the CI, I’d just click a button to re-run it on the same PR/commit/branch and not “make an empty commit”.

End to end testing of large systems with hundreds or thousands of man-years of code in them will be slow because there is a large surface area to test and testing in individual modules doesn’t give the same kind of end to end coverage that testing everything together does. So while pre-commit would be good, I doubt it will replace server CI for all but the smallest repositories.

gusbremm

Agreed, but for instance, I am working on a project hosted on AWS where the trigger build action is not allowed for my user. Empty commit is my only option.

cuteboy19

Im sorry but I dont understand the point of such a configuration. Its certainly not security related

jffry

It can definitely be security related. The exact minimum set of permissions needed for users to successfully use the AWS Console is byzantine and not well documented. AWS managed (example) policies tend to just grant "* on *" type permissions.

To carve out minimal permissions, you have to start with nothing and repeatedly attempt to do the action in AWS console, and check CloudTrail to see what got denied. Increase role permissions, lather, rinse, repeat until it works and pray they don't update the console and break you again.

It's possible that either this process is too tedious to be worth doing, or produces a policy more complicated than they wish to use, or requires a policy that is more permissive than they wish to use.

coredog64
IAM isn’t fun, but there’s lots of options.

https://pypi.org/project/access-undenied-aws/ will allow you to start with least privilege and fix specific issues.

https://github.com/iann0036/iamlive allows an admin to perform the action via CLI and capture the policy.

Access advisor can inspect how you actually use the role and give suggestions on what to remove.

A more helpful suggestion is to experiment with these tools and then find gaps in IAM actions and submit those as feature requests via your TAM.