The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a “branch must be up to date” requirement. This means that if I have multiple PR’s for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response. 

I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible. 

I may have to look into using an OAuth / GitHub application to accomplish this task.

hey @benjaminwinokur 

That makes more sense :) 

I guess you could look at auto-merge for those repositories that don’t have the “branch must be up to date” rule enforced; ¯_(ツ)_/¯.

I’m not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch 

I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits… 

The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source - which is not super useful :) 

Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome… 

@i-marsh 

@i-marsh, i don’t see a security issue of knowing branch protections are enabled. this is just security with obscurity, which never works in real world. we are blocked by this work as well, e.g. consumers of open source projects cannot evaluate security posture of a dependency if they can’t get this result via api, see Branch Protection are failing for some repositories · Issue #138 · ossf/scorecard · GitHub