-
Notifications
You must be signed in to change notification settings - Fork 459
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG number of required reviewers is only 0 alert even though is set to 1 #1614
Comments
Thanks for reporting! Can you give a link about the I ran scorecard and got the following (with my personal token):
Do you see something different in your results/dashboard? |
follow-up: you're right, your latest action run has: Can you run scorecard yourself with your token via command line using our docker image as explained in https://github.com/ossf/scorecard#docker and copy the result here? Additionally, please run Fyi, I get the following with my own token
Thanks for your help! |
Output of
Output of
This other option is checked in that group: |
Very interesting! Which scopes do you use for your PAT? |
It has the following scopes: |
I could not reproduce the problem with my PAT. Let's try something else first. Can you head over to https://docs.github.com/en/graphql/overview/explorer, log in as you, and run this graphQl command and paste your results?
Mines look like:
|
I think I know what is happening: The PAT was generated from an account which belongs to the group allowed to bypass pullrequest requirements. This is the output:
The result of running with an account that does not belong to group allowed to bypass the codereview requirements is:
I thought the APIs were returning the data in the same structure as the UI but it seems like it returns them calculated for the user making the request. I believe the fix for this issue is to create the PAT using an account that does not belong to any special group and maybe adding a note to the documentation. E.g. for flutter we want to validate the permissions from the flutter-hackers point of view. |
Good catch. That's a really interesting behavior. @azeemsgoogle @jeffmendoza is this expected behavior? I think we also need to retrieve the settings "Allowed specified actors..." so it can be reported and validated, otherwise we are missing important info about the repo itself. |
Very interesting find, thanks @godofredoc! I think we need help from the GitHub team here. Will follow up with them and update here. |
Describe the bug
flutter/flutter has branch protection enabled and required reviewers to 1 but scorecards still show an alert with a description that is set to 0
Reproduction steps
Steps to reproduce the behavior:
Expected behavior
If reviewers is set to >1 the alert should not be triggered
Additional context
The token we are using to run scorecards with doesn't have admin access. I wonder if this a permissions problem.
The text was updated successfully, but these errors were encountered: