Allow Private Orbs along with Certified Public Orbs
planned
Zachary Yao
We are on Scale Plan and when I try to create a private orb, it requires me to toggle on "Allow all members of my organization to publish dev orbs, use uncertified orbs and use third-party ..". in the organization settings.
However, in our scenario, we only want to allow private orbs along with certified public orbs.
Please add a third option apart from the existing binary options:
- Yes: Allow all members of my organization to publish dev orbs, use uncertified orbs and use third-party ..
- No: Only allow my organization to use orbs certified and supported by CircleCI
S
Steven Reynolds
For any one needing a workaround for this feature, you can leverage config policies as a way to create an allowed list of orbs (admittedly a toggle would be much preferred).
An example policy would look like
package org
import future.keywords
import data.circleci.config
policy_name["allowed_orbs"]
# circleci prefix allows certified orbs
# company_namespace allows your private orbs
# any other prefixes support approved 3rd party orbs
use_allowed_orbs[orb] = reason {
some orb, _ in config.orbs
not startswith(orb, "circleci")
not startswith(orb, "company_namespace")
not startswith(orb, "some_other_orb")
reason := sprintf("%s is not an approved orb", [orb])
}
# You may decide a soft_fail is preferable depending on your requirements
hard_fail["use_allowed_orbs"]
enable_rule["use_allowed_orbs"]
More information
https://circleci.com/docs/config-policy-management-overview/
https://circleci.canny.io/orbs/p/allow-to-use-third-party-orbs-by-white-list
https://circleci.canny.io/orbs/p/option-to-allow-certified-and-partner-orbs-only
Oran Wilder
Hi folks - this feature continues to be top of mind but unfortunately remains uncertain on updated timing. When we find a new home for it we'll update again here.
Brian Yarr
Is there an update on this feature?
Oran Wilder
planned
This has been added to the roadmap for second half of 2022.
Oran Wilder
Update: Targeting mid-Q4.
Thomas Furmston
Oran Wilder Please, did this make it into the Q4 roadmap?
A
Alex Kennedy
Oran Wilder Bump for status update please.
Oran Wilder
Alex Kennedy: Sure thing. This won't fit into our Q3 plans, but remains under consideration for Q4.
Oran Wilder
under review
Reviewing for roadmap prioritization.