-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Branch-Protection check should include Repository Rules #3326
Comments
This sounds like a great enhancement to me, especially given the token discussions we've had in ossf/scorecard-webapp#444. We can augment the existing check to reward branch protection or repository rules. Are you interested in contributing? If it's just a feature request, I can see this being beneficial enough for a maintainer to pick up as well. |
Initial thoughts from the documentation:
The applicable rules themselves seem pretty 1:1 with branch protection settings, so hopefully this is a straightforward graphQL query change. But there is at least one new rules: |
From poking the API, I think Organization-level rules are included in the results when querying a repository. In the GraphQL API the field is Also worth a shout: this feature is pay-walled:
I also had this hope and started down this path, something like: {
repository(owner: "laurentsimon", name: "test3") {
...
rulesets(first: 100) {
edges {
node {
name
enforcement
pullRequestRules: rules(first: 100, type: PULL_REQUEST) {
edges {
node {
parameters {
... on PullRequestParameters {
dismissStaleReviewsOnPush
requireCodeOwnerReview
requireLastPushApproval
requiredApprovingReviewCount
requiredReviewThreadResolution
}
}
}
}
}
}
}
}
} My code has a I saw a couple of paths:
I have some non-functional code attempting the latter. I spent the most time stuck wondering if the rulesets should be fetched as part of
Yep! Per the above I'd appreciate some feedback on the approach, but I'm happy to turn this into a PR if it's as simple as we currently think it may be 🤞😆 . I'm also not offended if anybody else wants to! |
Yes, I beleive that's true, from looking at the graphql object docs:
I think something like that works (I hadn't seen how to do parameters before in graphQL like that, neat). We may care about some of the other parameters too, such as
A couple thoughts:
Understood. |
Ah I see, this is the
It would be nice if people just used the conventions of All and Default, which seem to return values of:
But we may need to do some parsing for the |
Agreed! I tried in main...thepwagner:scorecard:rulesets-via-v3-api and got to the point where I was using the rule sets to modify the
Sorry for the initial ambiguity, in main...thepwagner:scorecard:rulesets-via-v4-api I've synchronized the mock query in the comment with my GraphQL query to fetch the rules. That might be worth opening as a draft and refining? The approach is to fetch every I got to the point of implementing |
Specifically,
I think this approach sounds good to me, there are some specific critiques I have that are better suited for a draft PR review. I think the approach of v3 vs v4 is the pain of doing fnmatch ourselves. I see a lot of "this is equivalent to X in regexp", so I wonder if we can do a quick and dirty conversion to come up with a regexp equivalent. |
I took a stab at this and threw it in a branch. main...spencerschrock:scorecard:exp/fnmatch, or the commit permalink, 086a66e There is one corner case that has to do with
|
Thanks, I cherry-picked that into my I've opened a draft PR here #3354 , and noted my biggest concern in the description: things get weird when repository rules are layered on top of branch protection rules, or on top of other repository rules. |
FWIW Go's stdlib |
Sadly this doesn't match a common pattern, one of GitHub's suggested ones (playground): pattern := "releases/**/*"
branch := "releases/v2"
match, err := filepath.Match(pattern, branch)
fmt.Println(match, err) false <nil> |
Right. hmm. Fair enough. Seems like that it's not actually an fnmatch compatible pattern match but a different glob-like pattern since many(most?) fnmatch implementations don't support Seems like some folks have run into this before as well. |
Is your feature request related to a problem? Please describe.
GitHub has recently released Repository Rules as an alternative to Branch Protection rules.
These rules can be queried without administrator access, so Scorecard can determine if a third party repository is branch-protected, and
ossf/scorecard-action
can produce better results with default tokens.Describe the solution you'd like
The Branch Protection checks should be modified to fetch and score protections provided through Repository Rules in addition to Branch Protection rules. Support was added to go-github in google/go-github#2789 .
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: