Warn early on repos whose plan does not support branch rules#395
Open
arpitjain099 wants to merge 2 commits into
Open
Warn early on repos whose plan does not support branch rules#395arpitjain099 wants to merge 2 commits into
arpitjain099 wants to merge 2 commits into
Conversation
setup and status crash with a raw GitHub 403 ('Upgrade to GitHub Pro or
make this repository public') when run against a private repo on a free
plan. The 403 comes from reading branch rulesets and is surfaced as an
opaque wrapped error.
Detect that 403 with a typed check (errors.As to *github.ErrorResponse,
StatusCode 403) rather than string matching, convert it to a new
ErrUnsupportedRepoPlan sentinel, and read the controls up front in the
onboard flow so the warning is printed before any mutation. setup and
status now print an actionable message telling the user to make the repo
public or upgrade the plan.
Fixes slsa-framework#326
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Member
|
@arpitjain099 Thanks for the PR there is a minor nit error which should be easy to fix. I am in the middle of migrating sourcetool to the latest go-github release which will be a large diff, if you fix this the merge conflict will be easier for me I think. |
Address the two lint findings flagged on this branch: - status.go: drop the trailing period from the unsupportedRepoPlanError message so it satisfies staticcheck ST1005 (error strings should not end with punctuation). - github_test.go: use require.NoError instead of require.Nil for the nil-error assertion, per testifylint error-nil. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Running
sourcetool setuporsourcetool statusagainst a private repository on a free GitHub plan crashes with the raw GitHub API error:The 403 comes from reading the branch rulesets, which that plan does not expose, and it bubbles up as an opaque wrapped error after onboarding has already started.
This change detects that case and warns about it clearly before doing anything to the repository.
What it does:
ErrUnsupportedRepoPlansentinel in the models package, next to the existingErrRepositoryAccessDenied/ErrProtectionAlreadyInPlaceerrors.errors.Asto*github.ErrorResponseandResponse.StatusCode == http.StatusForbidden) instead of matching on the message text, so it keeps working if GitHub rewords the response. The GitHub backend converts that 403 into the sentinel.setup repothe warning is raised before any mutating call (ConfigureControlsis never reached).statusandsetup controlsalready hit the control read first.setupandstatusnow print an actionable message: make the repository public, or move its account to a plan that includes repository rules (GitHub Pro or higher).Testing:
asUnsupportedPlanError) covers a plain 403, a wrapped 403, a 404, a non-GitHub error, and a 403 with no HTTP response attached, and confirms both the sentinel and the original API error stay reachable througherrors.Is.ErrUnsupportedRepoPlanand does not call the backendConfigureControls, so nothing is mutated after the warning.go test ./pkg/sourcetool/... ./internal/cmd/...passes,gofmt -lis clean, andgo vet ./...is clean.Note: I could not exercise this end to end against a real private free-plan repo, so the message wording is open to adjustment if you would phrase the remediation differently.
Fixes #326