Bug in REST API branch protection rules

Original title: Bug in REST API regarding required_approving_review_count ?

I’m in the process of automating the configuration of new repositories for my organization. One of the things we want to do is enable auto merge on the repository, and branch protection on the production (main/master) branch for every new repo. Specifically:

  • Require a pull request before merging
    • Dismiss stale pull requests
    • (nothing else from this section)
  • Require status checks to pass
    • Require branches to be up-to-date
    • [collection of status checks]
  • Include administrators

I can create the branch rule via the REST API using (either using curl or the github cli):

'{"required_status_checks":{"strict":true,"contexts":["list,of,contexts"]},"enforce_admins":true,"required_pull_request_reviews":{"dismiss_stale_reviews":true,"require_code_owner_reviews":false,"required_approving_review_count":0},"restrictions":null}'

with the exception that it’s refused with the message "required_approving_review_count"=>0 . If I change the number to 1, then the rule is created but we don’t want to require reviews, and setting it up this way is possible via the web console. This is the output from the REST API from an existing repository where we set up the branch protection rules in the web console:

  "required_pull_request_reviews": {
    "url": "https://api.github.com/repos/gilzow/drupal9/branches/master/protection/required_pull_request_reviews",
    "dismiss_stale_reviews": true,
    "require_code_owner_reviews": false,
    "required_approving_review_count": 0
  },

As you can see, required_approving_review_count is set to 0, and I’ve tested this repository and the branch rule works as I expect it to. Additionally, if I use the REST API to create a branch rule on a repo, then go to the web console for the repo, I can remove the check for “Require approvals”, and if I then retrieve the data on branch protections, it matches the above.

Attempts to patch the branch protection rules via the REST API to set the number back to 0 fail with the same error message. Similarly with attempts to set it to null, {}, false etc all return the error nil is not an object

Further, I tested updating the branch protection rule with the graphQL API and was able to update the value back to 0 using https://docs.github.com/en/graphql/reference/mutations#updatebranchprotectionrule.

This appears to be a bug in the REST API given you can set the value to 0 using either the Web Console or the GraphQL API; REST is the only one that requires an integer greater than 0.

2 Likes

I found the same issue. Set the rules to this using the UI:

{
 "required_status_checks": null,
 "required_pull_request_reviews": {
  "dismiss_stale_reviews": false,
  "require_code_owner_reviews": false,
  "required_approving_review_count": 0
 },
 "enforce_admins": {
  "url": "https://api.github.com/repos/myrepo/branches/main/protection/enforce_admins",
  "enabled": false
 },
 "restrictions": null,
 "required_linear_history": {
  "enabled": false
 },
 "allow_force_pushes": {
  "enabled": false
 },
 "allow_deletions": {
  "enabled": false
 },
 "required_conversation_resolution": {
  "enabled": false
 }
}

Then attempt to set the same over REST using https://docs.github.com/en/rest/reference/repos#update-branch-protection

{
 "required_status_checks": null,
 "required_pull_request_reviews": {
  "dismiss_stale_reviews": false,
  "require_code_owner_reviews": false,
  "required_approving_review_count": 0
 },
 "enforce_admins": false,
 "restrictions": null,
 "allow_force_pushes": false
}

Get this error:

2021/11/23 10:37:35 PUT https://api.github.com/repos/myrepo/branches/main/protection: 422 Invalid request.

No subschema in "anyOf" matched.
0 must be greater than or equal to 1.
Not all subschemas of "allOf" matched.
For 'anyOf/1', {"dismiss_stale_reviews"=>false, "require_code_owner_reviews"=>false, "required_approving_review_count"=>0} is not a null. []

have the same issue - can’t disable required_approving_review_count via REST API. I tried setting this to 0 and null with no luck. Unfortunately it’s a blocker for migrating almost 200 my department’s repos to Github

Hi @gilzow , @jeffmendoza , and @roman-karpilov_wartsila ,

Thanks for posting about this! I’ve cross-checked this with our documentation for this endpoint, and have confirmed there’s no option to set the Require a pull request before merging checkbox via this API endpoint without also setting one of the nested rules. Additionally, the allowed value range for required_approving_review_count via the REST API is an integer between 1 and 6.

As an alternative, the following GraphQL mutation will achieve this:

mutation createBranchPotection {
  createBranchProtectionRule(input: {repositoryId: "$repository_id", pattern: "$pattern", requiresApprovingReviews: true, requiredApprovingReviewCount: 0, dismissesStaleReviews: true, requiresCodeOwnerReviews: false, isAdminEnforced: true}) {
    branchProtectionRule {
      id
    }
  }
}

Replace $repository_id with the repository ID you want to create the rule on (you’ll need to create another API call to get this first), and $pattern with the branch name/matching pattern.

I hope this helps! Please let us know if you have any questions.

Cheers,

Allie

Yeah, I ended up ditching the REST api altogether and moving over to GraphQL but I would still consider this a bug as described.