How to enforce compliance with reviewer digital signatures #
Merging pull requests in Bitbucket is comparable to merging documents. Just as documents can be signed for approval, Workzone lets you digitally sign pull request approvals with a personal signature token.
You can even set the configuration to only allow a merge to take place if a required amount of approval signatures are present.
Let’s say Thomas and Ulrich are release managers at ACME. ACME is a CFR compliant / ISO 900x certified company. In order to merge code for their new intensive care unit device update they need to digitally sign off changes.
ACME’s CFR policies enforce 2 digital signatures before the code can be merged. Workzone’s auto-merge configuration is set up to require 2 signatures.
To do this;
- Navigate to your Workspace Settings.
- Scroll down to your Workzone section and click on “Pull Request Settings – Workzone”
- Click “Add Setting”
- Define your Source & Destination along with other configurations.
- When adding reviewers: Tick/Activate the “Require digital signature” for the individual it is required by.
- Click “Save”.
Thomas and Ulrich are notified of the pending Pull Request that requires their signature.
To sign the pull request, Thomas will need to follow these steps;
- Click the “Sign and Approve” button.
- It is the first time Thomas has signed a pull request, so he will need to create a signature token by clicking “Create a signature token”.
A new tab will open where Thomas can create a signature approval token.
Within this new tab Thomas will work through the following steps;
- Click the “Create Token” button – This will open a popup.
- He will set a label for his token. E.g. “Thomas Luong Token”
- By clicking “Confirm” the approval token will be generated.
- Thomas will click copy and navigate back to the original pull request window. The original token is only displayed once after it is created. To reuse the token Thomas may choose to store the token in safe place that only he has access to.
Now that Thomas has created his own approval token, he is ready to complete the digital signature process;
- Thomas will paste his digital approval token in the field highlighted.
- Click “Confirm”
- The digital signature has now been approved. Click “Reload”.
- The required Workzone checks have now been completed and the team is just waiting for Ulrich to sign.
How to enforce compliance with reviewer group signatures #
Some compliance procedures require a reviewer to sign a pull request as a representative of a group.
Configuring signature groups #
ACME’s compliance requirements have been updated and now require a signature from the “Tech Rep”, “Test Rep” and “Quality Rep” group representatives.
Edit or create a new Workzone reviewer rule set with digital signatures.
When a pull request to ‘develop’ is created, members of all 3 groups are added as signature-reviewers.
Approving and signing a pull request as a representative #
Signature reviewers can only approve a pull request with their digital signature token (see above). If “signature groups” are detected for the pull request the reviewer and approve and sign as a group representative.
To approve and sign a pull request as a representative:
- On the pull request page click “Sign and approve”
- Provide your signature token
- Choose a group you represent with your signature
- Click “Approve” to complete.