-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: GitHub mergeability bypassing apply #4193
fix: GitHub mergeability bypassing apply #4193
Conversation
Thanks, @henriklundstrom. We will find some time to review, but it could take a while. |
Awesome work 😍 This is exactly the issue we are running into now! |
+1 We ran into the same issue the other day. |
Looking forward to this PR as it should enable implementing MergeQueue with required checks pretty easily. |
If you want to try this out, I made a release on the feature-branch, here: https://github.com/nordnet/atlantis/releases/tag/v0.27.4-pre.fix-required-checks-minus-apply-20240515. You can pull that Docker image: |
@jamengual @lukemassa Do you think you will be able to check this PR any time soon? We have been running it in our prod for several months, and everything works well. |
@jamengual @lukemassa Would you be able to take a look at this PR, please? #3811 is a considerable security hazard because a malicious actor could use it to bypass any number of automated checks, and this PR would solve it. |
Sorry, guys, this is taking so long, but we are at the mercy of time right now, and we have had very little of it lately. |
I was on vacation last week, diving back in this week. I will take a look at this today or tomorrow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@henriklundstrom makes a lot of sense, and very thoroughly done, thanks for the contribution!
I am still experiencing with v0.30.0 the same issue:
but when trying to apply the already approved PR, we get |
There can be many possible reasons for it. Can you see if there are any errors in the log? |
Make sure to add the new required |
Error thrown was:
@Roberdvs The error above could be indicating the missing permission, thanks! EDIT: Indeed, the missing permission in the GH app did the trick, and now it works as expected 💯 |
Signed-off-by: a1k0u <[email protected]>
what
First of all, this PR is only concerned with how Atlantis determines if it should proceed with apply when the
--gh-allow-mergeable-bypass-apply
is used on a GitHub PR that is in theblocked
state because Atlantis apply is a required check.The following changes to its behaviour are made:
Expected - Waiting for status to be reported
-state when determining if a pull request is mergeable #4272This is all accomplished by using the GraphQL API instead of the REST API, because the former conveniently provides the current state of all statuses and checks on the PR, including if they are required or not.
This PR does not solve the issue #4116, but it does open up for the possibility of implementing a solution. The implementation in this PR does list all required checks from rulesets and branch protection, and could easily be extended to also get the conditions for bypassing in the same query. However, there's a philosophical question as to who should be regarded as the user in such case, the Atlantis GitHub App, the PR author, or the author of the
atlantis apply
comment? For this reason I will leave it to a future PR to deal with bypassers.In an ideal world, the GitHub API would provide some sort of
is-mergeable-for-given-actor
status on PRs, which would take into account all required checks/statuses and bypass rules. Then Atlantis could use only that to determine if it should proceed with apply+merge. But there is no such thing available. So we are stuck with this approach of listing all required checks and checking their status.Do note that there are more reasons why a PR may not be mergeable than the status of checks and reviews, which Atlantis ignores, and which are not addressed by this PR. For example, a ruleset may define requirements on the author's email, among many other things...
Another thing to note i that as of this change, the Atlantis GitHub credential needs read access to
Actions
, in order to fetch any workflow information about a given check. This was not needed before, so should be mentioned in any eventual release notes.why
The previous implementation had the following flaws:
tests
Updated test cases that run under
make test
.references
Skipped
GitHub status checks to count for themergeable
command requirement, when that status check is arequired
one #4249Expected - Waiting for status to be reported
-state when determining if a pull request is mergeable #4272