✨ feature: branch protection without admin token #823
Conversation
Signed-off-by: Asra Ali <asraa@google.com>
asraa
force-pushed
the
branch-protection-non-admin
branch
from
3bfedb5
to
e283518
Compare
| @@ -113,7 +114,12 @@ func checkReleaseAndDevBranchProtection(ctx context.Context, r repositories, dl | |||
| // The branch is protected. Check the protection. | |||
| score, err := getProtectionAndCheck(ctx, r, dl, ownerStr, repoStr, b) | |||
| if err != nil { | |||
| return checker.CreateRuntimeErrorResult(CheckBranchProtection, err) | |||
There was a problem hiding this comment.
how do we differentiate true errors and errors that lead to an unknown result?
There was a problem hiding this comment.
Because we know this branch is protected, so calling getProtectionAndCheck will only return an error if we can't get the detailed protection information.
Redirects however: they did close my issue on getting the redirected branch when you get protection, but I will test this out in case I'm missing a way to use it.
There was a problem hiding this comment.
thanks. The assumption is that https://github.com/ossf/scorecard/blob/main/checks/branch_protection.go#L174 does not trigger a new request that could timeout or return a GitHub's internal error. Is that correct?
There was a problem hiding this comment.
Added an explicit check to make sure it's a 404 Not Found and not a timeout, i think you're right.
We should have already resolved the branch name by matching it against known branch names, so we can't run into a problem that the branch isn't found because it doesn't exist.
There was a problem hiding this comment.
sg, thanks for double checking!
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali asraa@google.com
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Enables a score for branch protection without an admin token for the repository. Only an "is protected" boolean is available via the Branches API. In this case, a score of 1 with a warning is added to the final score (with a detailed reason). Enabling branch protection without using any settings gives a score of 1.
What is the current behavior? (You can also link to an open issue here)
Not found for non-admin token usage
What is the new behavior (if this is a feature change)?
Score of 1 with warning for protected branches
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
Other information: