Warn early on repos whose plan does not support branch rules#395
Warn early on repos whose plan does not support branch rules#395arpitjain099 wants to merge 2 commits into
Conversation
setup and status crash with a raw GitHub 403 ('Upgrade to GitHub Pro or
make this repository public') when run against a private repo on a free
plan. The 403 comes from reading branch rulesets and is surfaced as an
opaque wrapped error.
Detect that 403 with a typed check (errors.As to *github.ErrorResponse,
StatusCode 403) rather than string matching, convert it to a new
ErrUnsupportedRepoPlan sentinel, and read the controls up front in the
onboard flow so the warning is printed before any mutation. setup and
status now print an actionable message telling the user to make the repo
public or upgrade the plan.
Fixes slsa-framework#326
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
|
@arpitjain099 Thanks for the PR there is a minor nit error which should be easy to fix. I am in the middle of migrating sourcetool to the latest go-github release which will be a large diff, if you fix this the merge conflict will be easier for me I think. |
Address the two lint findings flagged on this branch: - status.go: drop the trailing period from the unsupportedRepoPlanError message so it satisfies staticcheck ST1005 (error strings should not end with punctuation). - github_test.go: use require.NoError instead of require.Nil for the nil-error assertion, per testifylint error-nil. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
|
Thanks @puerco. The golangci-lint nit is fixed in d160044. The remaining red unit-test looks transient: on that exact commit, a clean build with an empty module cache ( |
2 participants
Running
sourcetool setuporsourcetool statusagainst a private repository on a free GitHub plan crashes with the raw GitHub API error:The 403 comes from reading the branch rulesets, which that plan does not expose, and it bubbles up as an opaque wrapped error after onboarding has already started.
This change detects that case and warns about it clearly before doing anything to the repository.
What it does:
ErrUnsupportedRepoPlansentinel in the models package, next to the existingErrRepositoryAccessDenied/ErrProtectionAlreadyInPlaceerrors.errors.Asto*github.ErrorResponseandResponse.StatusCode == http.StatusForbidden) instead of matching on the message text, so it keeps working if GitHub rewords the response. The GitHub backend converts that 403 into the sentinel.setup repothe warning is raised before any mutating call (ConfigureControlsis never reached).statusandsetup controlsalready hit the control read first.setupandstatusnow print an actionable message: make the repository public, or move its account to a plan that includes repository rules (GitHub Pro or higher).Testing:
asUnsupportedPlanError) covers a plain 403, a wrapped 403, a 404, a non-GitHub error, and a 403 with no HTTP response attached, and confirms both the sentinel and the original API error stay reachable througherrors.Is.ErrUnsupportedRepoPlanand does not call the backendConfigureControls, so nothing is mutated after the warning.go test ./pkg/sourcetool/... ./internal/cmd/...passes,gofmt -lis clean, andgo vet ./...is clean.Note: I could not exercise this end to end against a real private free-plan repo, so the message wording is open to adjustment if you would phrase the remediation differently.
Fixes #326