fix(github): branch protection not supported

[tpolekhin]

what

• fix github branch protection not supported

why

• Correctly handle GitHub API error when branch protection is not available in Free Private repositories

tests

• I have tested my changes by running tests in VSCode
• I have tested my changes by running make test
• I have tested my changes by running make build

references

• closes Automerge fails on github free accounts in 0.23.3 due to branch protection api error #3268

[nitrocode]

This is a bit of a magic string and could be changed at any point on the API.

Is there an error code or boolean that we could check instead?

[tpolekhin]

Agreed, but I think this is the way of the GitHub API unfortunately.
I took inspiration from the go-github package and how they handle branch not protected errors.
https://github.com/google/go-github/blob/master/github/repos.go#L17
https://github.com/google/go-github/blob/master/github/repos.go#L2028-L2031
https://github.com/google/go-github/blob/master/github/repos.go#L1300-L1302

Response code is HTTP 403 which is not definitive as well :(

< HTTP/2 403
< server: github.com
< date: Tue, 28 Mar 2023 17:06:56 GMT
< content-type: application/json; charset=utf-8
< content-length: 200
< x-oauth-scopes: repo
< x-accepted-oauth-scopes: repo
< github-authentication-token-expiration: 2023-04-04 17:05:36 UTC
< x-github-media-type: github.v3; format=json
< x-github-api-version-selected: 2022-11-28
< x-ratelimit-limit: 5000
< x-ratelimit-remaining: 4999
< x-ratelimit-reset: 1680026816
< x-ratelimit-used: 1
< x-ratelimit-resource: core
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< vary: Accept-Encoding, Accept, X-Requested-With
< x-github-request-id: D5A2:06BA:5BE84E2:5D62843:64231EAF
<
{
  "message": "Upgrade to GitHub Pro or make this repository public to enable this feature.",
  "documentation_url": "https://docs.github.com/rest/branches/branch-protection#get-branch-protection"
}

[nitrocode]

Ok fair enough. It's a long string tho and subject to change but i suppose we can iterate over it over time if it breaks.

If we do add this logic, id feel better with a shorter string and a regex. That's probably overkill.

@runatlantis/maintainers thoughts on this magic string solution and root issue?

[jamengual]

I'm ok with the string, I found it a bit shocking the API does not return something more programmatic like a bool or something else.

[tpolekhin]

We can list all protected branches for a repo and check current

https://github.com/google/go-github/blob/master/github/repos.go#L1214

Not sure if it's an efficient way of dealing with this though

[nitrocode]

Thank you @tpolekhin for the pr. I do not think this closes issue #3268 completely until we can also check for 404 not found on the branch protection endpoint (due to non admin perms).

Is that something you can also tackle within this pr? Or should be done in a follow up?

[tpolekhin]

Thank you @tpolekhin for the pr. I do not think this closes issue #3268 completely until we can also check for 404 not found on the branch protection endpoint (due to non admin perms).

Is that something you can also tackle within this pr? Or should be done in a follow up?

that is actually a tricky one, because 404 Not Found could mean 2 things:

1. Branch is not protected
2. Not enough permissions to get branch protection

It doesn't feel right to treat 2 as if branch is not protected because it can lead to errors later down the chain when incorrect merge method will be chosen.

[nitrocode]

I was thinking that if a 404 was returned from the api, then we could have an info message after the stack trace

404 not found. Please check if branch protections are set and if atlantis has admin read only access to the repo

Or similar. This way people would be more inclined to try one of those methods before reaching out to a github issue

[nitrocode]

@tpolekhin can you confirm if works end to end in your own setup? Even though it's a simple fix and contains tests, id like to double check. Sometimes when we ask this question, people try it out and find other problems with the pr and then can catch it in time

[tpolekhin]

@nitrocode fair. I did run a test on a free private repository without a protected branch without issues.
PR was merged automatically.

Apply and merge logs:

{"level":"info","ts":"2023-03-30T11:24:42.197Z","caller":"events/events_controller.go:545","msg":"parsed comment as command=\"apply\" verbose=false dir=\"\" workspace=\"\" project=\"\" flags=\"\"","json":{"gh-request-id":"X-Github-Delivery=76a5c5e0-ceed-11ed-98de-bc6831dbe53f"}}
{"level":"info","ts":"2023-03-30T11:24:43.471Z","caller":"terraform/terraform_client.go:316","msg":"Cannot determine which version to use from terraform configuration, detected 0 possibilities.","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:43.730Z","caller":"runtime/apply_step_runner.go:39","msg":"starting apply","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:43.965Z","caller":"models/shell_command_runner.go:156","msg":"successfully ran \"/usr/local/bin/terraform apply -input=false \\\"/home/atlantis/.atlantis/repos/tpolekhin/atlantis-test-terraform/6/default/default.tfplan\\\"\" in \"/home/atlantis/.atlantis/repos/tpolekhin/atlantis-test-terraform/6/default\"","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:43.966Z","caller":"runtime/apply_step_runner.go:58","msg":"apply successful, deleting planfile","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:44.301Z","caller":"events/instrumented_project_command_runner.go:87","msg":"apply success. output available at: https://github.com/tpolekhin/atlantis-test-terraform/pull/6","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:46.541Z","caller":"events/automerger.go:32","msg":"automerging pull request","json":{"repo":"tpolekhin/atlantis-test-terraform","pull":"6"}}
{"level":"info","ts":"2023-03-30T11:24:49.134Z","caller":"events/instrumented_pull_closed_executor.go:45","msg":"Initiating cleanup of pull data.","json":{"repository":"tpolekhin/atlantis-test-terraform","pull-num":"6"}}
{"level":"info","ts":"2023-03-30T11:24:50.104Z","caller":"events/events_controller.go:473","msg":"deleted locks and workspace for repo tpolekhin/atlantis-test-terraform, pull 6","json":{"gh-request-id":"X-Github-Delivery=7ac53930-ceed-11ed-94bb-ce472f3c8467"}}

[nitrocode]

Thank you @tpolekhin !

[nitrocode]

@tpolekhin this was reverted due to a breaking change. See the related pr #3321