Skip to content

Enable Branch Protection GET API Without Admin #24326

Enable Branch Protection GET API Without Admin #24326
Jul 25, 2019 · 4 answers

Hi,

Would it be feasible to open the 

GET branch/protection/required_status_checks 

API to authenticated users who are not an owner of a given repository? I am attemping to integrate autmatic pull request merging within our enterprise server, but that would currently require giving a service account ownership privelages which is a potential security concern.

Thanks

Hey @benjaminwinokur 

Can you clarify? 
What account would this automation use?

How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation - 

Interestingly, giving non-owners information about branch protection should also be a security concern.

Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time… :slight_smile:

If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping… which may ease your security concerns … some informative links below

https://developer.github.com/apps/about-apps/#determining-which-integration-to-build
https://developer.github.…

Replies

4 suggested answers

Hey @benjaminwinokur 

Can you clarify? 
What account would this automation use?

How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation - 

Interestingly, giving non-owners information about branch protection should also be a security concern.

Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time… :slight_smile:

If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping… which may ease your security concerns … some informative links below

https://developer.github.com/apps/about-apps/#determining-which-integration-to-build
https://developer.github.com/apps/differences-between-apps/
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

Happy to chat in more detail and maybe figure something out …

0 replies
Answer selected

The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a “branch must be up to date” requirement. This means that if I have multiple PR’s for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response. 

I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible. 

I may have to look into using an OAuth / GitHub application to accomplish this task.

0 replies

hey @benjaminwinokur 

That makes more sense :) 

I guess you could look at auto-merge for those repositories that don’t have the “branch must be up to date” rule enforced; ¯_(ツ)_/¯.

I’m not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch 

I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits… 

The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source - which is not super useful :) 

Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome… 

@i-marsh 

0 replies

@i-marsh, i don’t see a security issue of knowing branch protections are enabled. this is just security with obscurity, which never works in real world. we are blocked by this work as well, e.g. consumers of open source projects cannot evaluate security posture of a dependency if they can’t get this result via api, see Branch Protection are failing for some repositories · Issue #138 · ossf/scorecard · GitHub

0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants