Enable Branch Protection GET API Without Admin #24326
-
Hi, Would it be feasible to open the
API to authenticated users who are not an owner of a given repository? I am attemping to integrate autmatic pull request merging within our enterprise server, but that would currently require giving a service account ownership privelages which is a potential security concern. Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
Hey @benjaminwinokur Can you clarify? How are you automating? CI tool, Script, GitHub App? Interestingly, giving non-owners information about branch protection should also be a security concern. Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time… :slight_smile: If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping… which may ease your security concerns … some informative links below https://developer.github.com/apps/about-apps/#determining-which-integration-to-build Happy to chat in more detail and maybe figure something out … |
Beta Was this translation helpful? Give feedback.
-
The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a “branch must be up to date” requirement. This means that if I have multiple PR’s for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response. I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible. I may have to look into using an OAuth / GitHub application to accomplish this task. |
Beta Was this translation helpful? Give feedback.
-
hey @benjaminwinokur That makes more sense :) I guess you could look at auto-merge for those repositories that don’t have the “branch must be up to date” rule enforced; ¯_(ツ)_/¯. I’m not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits…
Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome… |
Beta Was this translation helpful? Give feedback.
-
@i-marsh, i don’t see a security issue of knowing branch protections are enabled. this is just security with obscurity, which never works in real world. we are blocked by this work as well, e.g. consumers of open source projects cannot evaluate security posture of a dependency if they can’t get this result via api, see Branch Protection are failing for some repositories · Issue #138 · ossf/scorecard · GitHub |
Beta Was this translation helpful? Give feedback.
Hey @benjaminwinokur
Can you clarify?
What account would this automation use?
How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation -
Interestingly, giving non-owners information about branch protection should also be a security concern.
Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time… :slight_smile:
If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping… which may ease your security concerns … some informative links below
https://developer.github.com/apps/about-apps/#determining-which-integration-to-build
https://developer.github.…