Add remediation capability for GH branch protections #1174
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jhrozek
force-pushed
the
branch_protections
branch
from
2d2d949
to
d8cd55c
Compare
rdimitrov
reviewed
Oct 11, 2023
jhrozek
force-pushed
the
branch_protections
branch
from
d8cd55c
to
9637be8
Compare
|
Two things to follow up on but I don't think they block the review (should block accepting the PR though..)
|
JAORMX
reviewed
Oct 12, 2023
| @@ -4,7 +4,7 @@ type: rule-type | |||
| name: branch_protection | |||
| context: | |||
| provider: github | |||
| description: Verifies that a branch has proper protections. | |||
| description: Verifies that a branch has a branch protection rule | |||
There was a problem hiding this comment.
I wold suggest renaming this to something like branch_protection_enabled to mark that it's a simple boolean rule.
working on the tests now, using the mock API. |
jhrozek
force-pushed
the
branch_protections
branch
from
9637be8
to
34a5466
Compare
|
btw I have trouble with the allow_fork_syncing remediation so for now I didn't include it in the profile.yaml. I'll file a separate ticket and will debug that issue further, but all that is included in this PR should work.. |
JAORMX
previously approved these changes
Oct 13, 2023
|
Thanks for the review, I will first review @rdimitrov 's PR on refactoring the engine for alerts to see which rebase is easier |
jhrozek
force-pushed
the
branch_protections
branch
from
34a5466
to
c9f92cc
Compare
We will be implementing a github-specific branch protection remediator to make our life easier when working with the complex branch protection API. The first step is to implement the protobuf type. At the moment, the type only has one field which is the patch.
We'll need this to implement the GH branch protection remediator.
Remediating github branch protections using plain REST calls proved to be very difficult because of several discrepancies between the data returned on GET and the expected data sent on POST. Instead, we're going to use the GH API with a bespoke GH branch protection remediatior.
To provide better granularity, testability and enable different remediations for different tunables, let's split the branch protection rule-type into several. Co-Authored-By: Juan Antonio Osorio <ozz@stacklok.com>
jhrozek
force-pushed
the
branch_protections
branch
from
c9f92cc
to
f254eba
Compare
|
rebased atop Radoslav's recent alerting work |
JAORMX
approved these changes
Oct 15, 2023
rdimitrov
approved these changes
Oct 15, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds branch protection remediations and splits the previous huge branch protection rule into smaller ones.
Fixes: #1154