Code Monkey home page Code Monkey logo

branch-protection-bot's Introduction

Branch Protection Bot

A bot tool to temporarily disable and re-enable Do not allow bypassing the above settings option in branch protection

Github doesn't have a way to give a Bot access to override the branch protection, specifically if you Do not allow bypassing the above settings. The only possible solution is to disable the Do not allow bypassing the above settings option. This increases risk of accidental pushes to master from administrators (I've done it a few times). This tool doesn't completely solve the problem of accidents happening but reduces the chances by closing the window.

The intended use of this tool is to is in a CI/CD pipeline where you require temporary access to allow a administrator Bot push to a branch.

Tutorial

How it works

  1. Your automated pipeline is kicked off
  2. Before you push to github you run this tool to disable Do not allow bypassing the above settings
  3. Push to the repository
  4. After you push to github you run this tool to enable Do not allow bypassing the above settings

Example usage

Docker

docker run -e ACCESS_TOKEN=abc123 -e BRANCH=master -e REPO=branch-protection-bot -e OWNER=benjefferies benjjefferies/branch-protection-bot

Github Actions

- name: Temporarily disable "Do not allow bypassing the above settings" branch protection
  uses: benjefferies/branch-protection-bot@master
  if: always()
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    branch: ${{ github.event.repository.default_branch }}
    
- name: Deploy
  run: |
    mvn release:prepare -B
    mvn release:perform -B
   
- name: Enable "Do not allow bypassing the above settings" branch protection
  uses: benjefferies/branch-protection-bot@master
  if: always()  # Force to always run this step to ensure "Do not allow bypassing the above settings" is always turned back on
  with:
    access_token: ${{ secrets.ACCESS_TOKEN }}
    owner: benjefferies
    repo: branch-protection-bot
    branch: ${{ github.event.repository.default_branch }}

Inputs

access_token

Required Github access token. https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line. See issue for required permissions

owner

For example benjefferies for https://github.com/benjefferies/branch-protection-bot. If not set with repo GITHUB_REPOSITORY variable will be used

repo

For example branch-protection-bot for https://github.com/benjefferies/branch-protection-bot. If not set with repo GITHUB_REPOSITORY variable will be used

branch

Branch name. Default "master"

retries

Number of times to retry before exiting. Default 5.

enforce_admins

If you want to pin the state of Do not allow bypassing the above settings for a step in the workflow.

Outputs

initial_status

Output the current branch protection status of Do not allow bypassing the above settings prior to any change. You can retrieve it from any next step in your job using: ${{ steps.disable_include_admins.outputs.initial_status }}. This would help you to restore the initial setting this way:

steps:
    - name: "Temporarily disable 'Do not allow bypassing the above settings' default branch protection"
    id: disable_include_admins
    uses: benjefferies/branch-protection-bot@master
    if: always()
    with:
        access_token: ${{ secrets.ACCESS_TOKEN }}
        branch: ${{ github.event.repository.default_branch }}
        enforce_admins: false
    
    - ...

    - name: "Restore 'Do not allow bypassing the above settings' default branch protection"
    uses: benjefferies/branch-protection-bot@master
    if: always() # Force to always run this step to ensure "Do not allow bypassing the above settings" is always turned back on
    with:
        access_token: ${{ secrets.ACCESS_TOKEN }}
        branch: ${{ github.event.repository.default_branch }}
        enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}

Github repository settings

The Bot account must be an administrator.

branch-protection-bot's People

Contributors

benjefferies avatar crazy-matt avatar dependabot[bot] avatar litaocdl avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar

branch-protection-bot's Issues

Question: Does this action toggle the state unconditionally?

Not an issue, and excuse me if this is made clear somewhere, but it seems like this action toggles the state of the setting rather than explicitly setting it to on or off. This is probably fine in most cases but I'm worried about cases where the first step succeeds, turning the setting off, then my build exits without turning it back on. So when I go to build again, I'm flipping it from off=>on. Does this action consider this scenario and prevent unintended states of this setting?

Feature request: disable more settings

This bot works great for just the "include administrators" part of branch protections (thanks!). But there are other branch protection settings that can be useful to remove from the default branch so that bots can push to it:

  • Requiring an approving review
  • Required status checks

Example build:

ERROR remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access. 10 of 10 required status checks are expected.        
To https://github.com/JoshuaKGoldberg/template-typescript-node-package
 * [new tag]         v1.24.0 -> v1.24.0
 ! [remote rejected] main -> main (protected branch hook declined)

Would you be open to expanding scope of this bot to also disable & enable those?

ModuleNotFoundError: No module named 'typing_extensions'

Running into the following issue in our CI pipeline for auto-release. It seems that typing_extensions package just needs to be added. Here is a reference I found msiemens/tinydb#413

Run benjefferies/branch-protection-bot@master
Traceback (most recent call last):
  File "/bin/run.py", line 6, in <module>
    from github3 import login
  File "/pyroot/lib/python3.7/site-packages/github3/__init__.py", line 20, in <module>
    from .api import enterprise_login
  File "/pyroot/lib/python3.7/site-packages/github3/api.py", line 9, in <module>
    from .github import GitHub
  File "/pyroot/lib/python3.7/site-packages/github3/github.py", line 8, in <module>
    from . import apps
  File "/pyroot/lib/python3.7/site-packages/github3/apps.py", line 7, in <module>
    import jwt
  File "/pyroot/lib/python3.7/site-packages/jwt/__init__.py", line 1, in <module>
    from .api_jwk import PyJWK, PyJWKSet
  File "/pyroot/lib/python3.7/site-packages/jwt/api_jwk.py", line 7, in <module>
    from .algorithms import get_default_algorithms, has_crypto, requires_cryptography
  File "/pyroot/lib/python3.7/site-packages/jwt/algorithms.py", line 27, in <module>
    from typing_extensions import Literal
c

Error when using Action: Pipenv is not intended to work under the root directory, please choose another path

In the past 24 hours or so there's been an error when trying to run the Action:

This of course fails the whole workflow.

Here are the raw logs for both steps that benjefferies/[email protected] is part of:
2_Build [email protected]
11_Enable include administrators branch protection.txt

The error seems to be this:

2020-05-28T07:18:48.8729872Z �[91mERROR: Pipenv is not intended to work under the root directory, please choose another path.
2020-05-28T07:18:49.0731624Z The command '/bin/sh -c PIP_USER=1 PIP_IGNORE_INSTALLED=1 pipenv install --system --deploy --ignore-pipfile' returned a non-zero code: 1

ModuleNotFoundError: No module named 'uritemplate' when running action

Hi! A couple of days the GitHub Action started to fail with the following

2020-06-06T16:38:23.6715369Z ##[group]Run benjefferies/[email protected]
2020-06-06T16:38:23.6715528Z with:
2020-06-06T16:38:23.6716100Z   access-token: ***
2020-06-06T16:38:23.6716225Z   enforce_admins: false
2020-06-06T16:38:23.6716359Z   branch: master
2020-06-06T16:38:23.6716474Z   retries: 5
2020-06-06T16:38:23.6716613Z ##[endgroup]
2020-06-06T16:38:23.6753506Z ##[command]/usr/bin/docker run --name d35c4cb2359e4743f799603dd827d62448_1d73a6 --label 3888d3 --workdir /github/workspace --rm -e INPUT_ACCESS-TOKEN -e INPUT_ENFORCE_ADMINS -e INPUT_OWNER -e INPUT_REPO -e INPUT_BRANCH -e INPUT_RETRIES -e ACCESS_TOKEN -e OWNER -e REPO -e BRANCH -e RETRIES -e ENFORCE_ADMINS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/typescript-starter/typescript-starter":"/github/workspace" 3888d3:5c4cb2359e4743f799603dd827d62448
2020-06-06T16:38:37.1376617Z Traceback (most recent call last):
2020-06-06T16:38:37.1378091Z   File "/bin/run.py", line 6, in <module>
2020-06-06T16:38:37.1386279Z     from github3 import login
2020-06-06T16:38:37.1388009Z   File "/pyroot/lib/python3.7/site-packages/github3/__init__.py", line 24, in <module>
2020-06-06T16:38:37.1388607Z     from .api import (
2020-06-06T16:38:37.1389581Z   File "/pyroot/lib/python3.7/site-packages/github3/api.py", line 13, in <module>
2020-06-06T16:38:37.1390203Z     from .github import GitHub, GitHubEnterprise
2020-06-06T16:38:37.1391157Z   File "/pyroot/lib/python3.7/site-packages/github3/github.py", line 8, in <module>
2020-06-06T16:38:37.1391683Z     import uritemplate
2020-06-06T16:38:37.1392768Z ModuleNotFoundError: No module named 'uritemplate'

The GitHub workflow remains unchanged since 12 days ago and it was working.

Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found

When I run this action, I see the following error in the log:

  Step 8/12 : RUN PIP_USER=1 PIP_IGNORE_INSTALLED=1 pipenv install --system --deploy --ignore-pipfile
   ---> Running in 296166cff1ec
  Installing dependencies from Pipfile.lock (cdebd1)…
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Removing intermediate container 296166cff1ec
   ---> 8a1e87250567
  Step 9/12 : FROM base

The action seems to work, but this error is worrying. What causes it?

Bot fails when "Require pull request reviews before merging" is selected

This bot is a great idea! I have been using it and it generally works well, however, when I add the rule "Require pull request reviews before merging" for master branch protection then I get an error that At least 1 approving review is required by reviewers with write access (pasted below, but for context you can see the logs here)

remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: At least 1 approving review is required by reviewers with write access. 

Would it be possible to modify the bot such that this rule is set to false as well when we disable master branch protection? I guess it would be possible, looking at the docs I see that required_pull_request_reviews can be set to NULL to do so using the branch protection API? The github3 docs here also suggest it could be done with github3.repos.branch.ProtectionRequiredPullRequestReviews?

[Feature] Wildcard-Branch protection

At first let me thank you for this useful action! As I have set this up in our repository I encountered a problem which could lead into a feature request for this action.

We protect our branches based on wildcards, f.e. development/*which matches all branches starting with development/. When your branch-protection-bot action is executed it will create a new branch protection rule (based on the wildcard rules) and not updating our existing wildcard protection. When the action re-enables the 'include administrators' option it will only do it on the newly created branch protection rule.

image

This is not a real problem but enforces us to update all branch protection rules and not just one wildcard when we f.e. want to enforce a new status check.

I have two ideas about this:

  1. Add a configuration option to support specific branch-protection rules (so we can target our wildcard-rules)
  2. Add a configuration option which allows instead of toggling the state of 'include administrators' to remove the newly created branch protection rule

Would love to hear your ideas about it.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.