Would it be feasible to open the
API to authenticated users who are not an owner of a given repository? I am attemping to integrate autmatic pull request merging within our enterprise server, but that would currently require giving a service account ownership privelages which is a potential security concern.
Solved! Solved! Go to Solution.
Can you clarify?
What account would this automation use?
How are you automating? CI tool, Script, GitHub App?
And how does getting the required status checks impact this automation -
Interestingly, giving non-owners information about branch protection should also be a security concern.
Maybe this could help https://github.com/marketplace/auto-merge or perhaps save some time.. :)
If you use a GitHub App or OAuth App, you can get more fine-grained control over access via scoping... which may ease your security concerns .. some informative links below
Happy to chat in more detail and maybe figure something out ..
The application uses a personal access token that has been generated for a service account. I have a docker container that that scans our enterprise server for matching labels and then attempts to perform the requested action. The reason I need the branch protections is because some repositories have a "branch must be up to date" requirement. This means that if I have multiple PR's for a given repository, the first one must be merged, and then the others must be re-updated - which triggers another CI build action. This branch protection only being on some repositories causes issues because there is no way to determine if I need to update the head with the base. I attempted to do this through an attempted merge and writing logic off of the returned error message, but if the branch needs to be update, there is not a unique error message returned from the API response.
I wish I could use the auto-merge tool, but the applicaiton also checks to ensure the code from our developers conforms to our standards and runs a series of checks. This highly customized behavior means that a 3rd party option is not possible.
I may have to look into using an OAuth / GitHub application to accomplish this task.
That makes more sense :)
I guess you could look at auto-merge for those repositories that don't have the "branch must be up to date" rule enforced; ¯\_(ツ)_/¯.
I'm not sure how you are currently automating; but if you are using GitHub apps / probot then this API should help :) https://developer.github.com/v3/pulls/#update-a-pull-request-branch
I totally get your concerns around the machine account permissions; but as with everything there is a trade-off between security, risk, exposure, likelihood and impact against the business benefits..
` The only truly secure computing can be found locked away in a basement, disconnected from the internet, and turned of at the power source ` - which is not super useful :)
Joking aside, using a GitHub app, or OAuth app should allow you to use the least privileged rights to achieve your automation; which is the best possible outcome..