Comments (6)
Thinking about it more, this could be fixed if we finish up and merge #46: the Checks API has additional states, so we might be able to set the checks for other branches to the neutral
status without introducing the security issue. I need to do more research into how the Check API states interact with required status checks for branch protection and how they render in the UI.
from policy-bot.
This is a limitation of the GitHub API: status checks are attached to commits and I can't find a way to delete them once created. Since the branch still has the same commit, it shows the old status as well as any new statuses.
The branch names are necessary to avoid a different problem. Without them, you could create a PR into a branch you control with a policy that requires no approval, then change the base branch to be develop
, and then race policy-bot to merge the PR before it can update the status to reflect the policy on the new target branch.
Is the main problem that this makes it look like some statuses are still pending even if they aren't required? Setting checks to success
when switching branches would fix that, but I think it reintroduces the security issue above where you can use branch switching to skip the real policy.
from policy-bot.
FWIW this bug makes policy-bot nearly unusable with certain git workflows (if you frequently open PRs against the feature branch your feature branch is branched off, to get early feedback, then change the base branch once your base branch is merged).
from policy-bot.
To confirm, problem the is specifically that once you change the base branch, the summary status of the PR still appears as pending or failed even though all required checks are successful, which wrongly implies the PR is not ready to merge?
As I mentioned above, we're kind of stuck here because you can't delete status checks once created and overwriting a statuses to success when the policy hasn't actually passed introduces a way to merge PRs without approval.
Maybe we could solve this with a top-level option specifying the branches to check? That way, you could only protect your trunk/release branches and policy-bot would only post statuses for commits that are part of PRs targeting those whitelisted branches?
A similar workaround is currently possible, but involves a more complicated policy and requires that you follow a branch naming pattern:
policy:
approval:
- or:
- change targets a feature branch
- change is approved
approval_rules:
- name: change targets a feature branch
if:
targets_branch:
pattern: "^feature/.*$"
requires:
count: 0
- name: change is approved
requires:
count: 1
teams: ["org/approvers"]
You'd still have the extra status appear, but they'd all be successful and wouldn't impact the overall state of the PR.
from policy-bot.
I think you're on to something - to rephrase, what we really want is to only enable policy-bot checks for protected branches (in our case, just master
). So if a PR is opened against another branch, ideally I'd want no check reported from policy-bot, but an always-true check is close enough.
So yes, I'll give something like this a try (slight reworking of your example):
policy:
approval:
- or:
- <real approval policy>
- change does not target a protected branch
approval_rules:
- name: <real approval policy>
# real approval rules here
- name: change does not target a protected branch
if:
targets_branch:
pattern: "???"
requires:
count: 0
... although writing this out made me realize because re2 doesn't support negative lookahead/lookbehind and policy-bot doesn't support logical negation, there isn't really any proper way to write a predicate for "doesn't match the exact string 'master'".
And really what I'd want is a built-in predicate that returns true for protected branches and false otherwise. How difficult is this?
... or could policy-bot be configured to only report a check on a PR against a target branch for which it is configured as a required status check? That would work too.
from policy-bot.
@serhalp this policy does what you want:
policy:
approval:
- or:
- 0 approvers for non-master
- 2 non-contributors approvers for master
approval_rules:
- name: 0 approvers for non-master
if:
targets_branch:
pattern: "^(?:[^m]+|m(?:$|[^a]|a(?:$|[^s]|s(?:$|[^t]|t(?:$|[^e]|e(?:$|[^r]))))))*$"
requires:
count: 0
- name: 2 non-contributors approvers for master
if:
targets_branch:
pattern: "^(master)$"
requires:
count: 2
from policy-bot.
Related Issues (20)
- [Question] default reviewer for non matching rules HOT 2
- How to ignore a user's approval in one team when the user is member of two approval teams? HOT 2
- Policy bot stuck on `Commit hash does not have a pushed date` HOT 29
- Trouble loading policy from repo HOT 2
- Allow '=' as comparison operator HOT 1
- Misleading documentation about file path regular expressions HOT 1
- AppID ENV Variable not respected HOT 2
- Confusing behavior with skipped checks. HOT 4
- Add feature to use request more reviewers than required count in case of random-users HOT 1
- [Question] Approval by teams agregator
- Declarative Testing of Policies HOT 5
- Certain merges can lead to ignored commits during evaluation
- Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs HOT 3
- If no rule matches can policy-bot not set a failed status on the PR? HOT 1
- Unable to run policy-bot behind a reverse-prxoy HOT 3
- `common.IsActor()` does not actually use `ctx` and can be simplified.
- Condition for not having specific label(s) HOT 6
- has_successful_status causes review requests while PR has draft status HOT 5
- Status check clarification HOT 2
- Feature Request: Predicate to skip rule if a file was changed HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-bot.