Validate base branches in DefaultCommandRunner #1768
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes runatlantis#1539 The branch matcher feature has been introduced in runatlantis#1383, but the current implementation was broken and doesn't work at all (runatlantis#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
minamijoyo
force-pushed
the
fix-branch-restriction
branch
from
37f6b93
to
8037de4
Compare
nishkrishnan
approved these changes
Aug 30, 2021
minamijoyo
added a commit
to minamijoyo/atlantis
that referenced
this pull request
Sep 2, 2021
…nfig Fixes runatlantis#1695 The branch matcher feature has been implemented in runatlantis#1383 and runatlantis#1768. There is only an example for it, but not in the reference. https://github.com/runatlantis/atlantis/pull/1383/files#diff-5dd8dd3b7c37191b78109efaaa1bb73184ff7a1690632d687fed7cd748847f5eR31-R34 Add missing the `branch` key in the reference for server side repo config. I also add a warning for `mergeable` requirement to check the `branch` setting because I think a typical branch protection rule only restricts a default branch. We should let users know that someone can potentially bypass it without the `branch` restriction in atlantis.
minamijoyo
added a commit
to minamijoyo/atlantis
that referenced
this pull request
Sep 2, 2021
Fixes runatlantis#1695 The branch matcher feature has been implemented in runatlantis#1383 and runatlantis#1768. There is only an example for it, but not in the reference. https://github.com/runatlantis/atlantis/pull/1383/files#diff-5dd8dd3b7c37191b78109efaaa1bb73184ff7a1690632d687fed7cd748847f5eR31-R34 Add missing the `branch` key in the reference for server side repo config. I also add a warning for `mergeable` requirement to check the `branch` setting because I think a typical branch protection rule only restricts a default branch. We should let users know that someone can potentially bypass it without the `branch` restriction in atlantis.
This was referenced Sep 2, 2021
nishkrishnan
pushed a commit
that referenced
this pull request
Sep 14, 2021
) Fixes #1695 The branch matcher feature has been implemented in #1383 and #1768. There is only an example for it, but not in the reference. https://github.com/runatlantis/atlantis/pull/1383/files#diff-5dd8dd3b7c37191b78109efaaa1bb73184ff7a1690632d687fed7cd748847f5eR31-R34 Add missing the `branch` key in the reference for server side repo config. I also add a warning for `mergeable` requirement to check the `branch` setting because I think a typical branch protection rule only restricts a default branch. We should let users know that someone can potentially bypass it without the `branch` restriction in atlantis.
msarvar
referenced
this pull request
in lyft/atlantis
Sep 27, 2021
Fixes #1539 The branch matcher feature has been introduced in #1383, but the current implementation was broken and doesn't work at all (#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
krrrr38
pushed a commit
to krrrr38/atlantis
that referenced
this pull request
Dec 16, 2022
Fixes runatlantis#1539 The branch matcher feature has been introduced in runatlantis#1383, but the current implementation was broken and doesn't work at all (runatlantis#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
krrrr38
pushed a commit
to krrrr38/atlantis
that referenced
this pull request
Dec 16, 2022
…natlantis#1784) Fixes runatlantis#1695 The branch matcher feature has been implemented in runatlantis#1383 and runatlantis#1768. There is only an example for it, but not in the reference. https://github.com/runatlantis/atlantis/pull/1383/files#diff-5dd8dd3b7c37191b78109efaaa1bb73184ff7a1690632d687fed7cd748847f5eR31-R34 Add missing the `branch` key in the reference for server side repo config. I also add a warning for `mergeable` requirement to check the `branch` setting because I think a typical branch protection rule only restricts a default branch. We should let users know that someone can potentially bypass it without the `branch` restriction in atlantis.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #1539
The branch matcher feature has been introduced in #1383, but the current implementation was broken and doesn't work at all (#1539). If my understanding is correct, there are two problems:
(1) The
GlobalCfghas a defaultRepoinstance which always matches any repositries and branches. Therefore the branch matcher never be functional.(2) Validating base branches in
DefaultPreWorkflowHooksCommandRunner.RunPreHooks()implicitly assumed that users customizepre_workflow_hooks, but the assumption isn't always true because it defaults to empty.For (1), I added a new method
MatchingRepo()toGlobalCfgto checkBranchMatches()for a singleRepoinstance.For (2), I moved validating branch to
DefaultCommandRunner.validateCtxAndComment(). Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.