Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 3
Message 1 of 4

Enable Branch Protection GET API Without Admin

Solved! Go to Solution.

Hi,

 

Would it be feasible to open the 

GET branch/protection/required_status_checks 

API to authenticated users who are not an owner of a given repository? I am attemping to integrate autmatic pull request merging within our enterprise server, but that would currently require giving a service account ownership privelages which is a potential security concern.

 

Thanks

3 Replies
Solution
GitHub Staff
Message 2 of 4

Re: Enable Branch Protection GET API Without Admin

Hey @benjaminwinokur 

Can you clarify? 
What account would this automation use?

How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation - 

Interestingly, giving non-owners information about branch protection should also be a security concern.

 

Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time.. :)

 

If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping... which may ease your security concerns .. some informative links below

 

https://developer.github.com/apps/about-apps/#determining-which-integration-to-build
https://developer.github.com/apps/differences-between-apps/
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

 

Happy to chat in more detail and maybe figure something out ..

 

Copilot Lvl 3
Message 3 of 4

Re: Enable Branch Protection GET API Without Admin

The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a "branch must be up to date" requirement. This means that if I have multiple PR's for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response. 

 

I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible. 

 

I may have to look into using an OAuth / GitHub application to accomplish this task.

GitHub Staff
Message 4 of 4

Re: Enable Branch Protection GET API Without Admin

hey @benjaminwinokur 

That makes more sense :) 

 

I guess you could look at auto-merge for those repositories that don't have the "branch must be up to date" rule enforced; ¯\_(ツ)_/¯.

 

I'm not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch 

 

I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits.. 

 

` The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source ` - which is not super useful :) 

 

Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome.. 

 

@i-marsh