🌱 Add branch protection evaluation #3759

AdamKorcz · 2023-12-29T19:33:03Z

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

What is the new behavior (if this is a feature change)?**

Changes Branch Protection evaluation to process probe findings. Some of the probes were submitted here: 🌱 Add probes for Branch Protection #3691
Adds another probe
Rewrites a bunch of tests
Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

NONE
For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

checks/evaluation/branch_protection.go

codecov · 2023-12-29T19:35:39Z

Codecov Report

Merging #3759 (f706b69) into main (4ae4ba2) will decrease coverage by 6.76%.
The diff coverage is 76.53%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3759      +/-   ##
==========================================
- Coverage   75.36%   68.60%   -6.76%     
==========================================
  Files         232      234       +2     
  Lines       15682    15842     +160     
==========================================
- Hits        11818    10868     -950     
- Misses       3129     4302    +1173     
+ Partials      735      672      -63

checks/evaluation/branch_protection.go

checks/raw/branch_protection.go

checks/raw/branch_protection_test.go

probes/blocksDeleteOnBranches/impl.go

probes/requiresCodeOwnersReview/impl_test.go

probes/requiresPRsToChangeCode/def.yml

checks/evaluation/branch_protection_test.go

spencerschrock

only a partial review (ran out of time before lunch), but wanted to get a few of these questions to you for discussion. Particularly the "protected" branch value/probe discussion

checks/evaluation/branch_protection.go

probes/blocksDeleteOnBranches/impl.go

probes/requiresCodeOwnersReview/impl.go

AdamKorcz · 2024-01-08T20:19:21Z

#3759 (comment) fixed in ba40d03

AdamKorcz · 2024-01-09T17:30:59Z

The failing integration test looks unrelated, but reliably reproduces:

• [FAILED] [0.487 seconds]
E2E TEST:SearchCommits E2E TEST:SearchCommits [It] Should return commits by dependabot
/home/runner/work/scorecard/scorecard/e2e/searchCommits_test.go:29

  [FAILED] Expected
      <int>: 0
  to be >
      <int>: 0
  In [It] at: /home/runner/work/scorecard/scorecard/e2e/searchCommits_test.go:37 @ 01/09/24 17:24:45.055

spencerschrock · 2024-01-09T21:02:02Z

The failing integration test looks unrelated, but reliably reproduces:

I think this had to do with today's GitHub status incident.

Signed-off-by: Adam Korczynski <[email protected]>

Signed-off-by: AdamKorcz <[email protected]>

spencerschrock · 2024-02-26T22:54:12Z

@spencerschrock PTAL again.

I'm seeing weird reversions of commits from earlier discussions. For example:

75c18eb was (accidentally?) reverted by 00acf66
5c98388 was (accidentally?) reverted by e5b1666

And one e2e test is still failing

TOKEN_TYPE=PAT ginkgo --focus-file branch_protection_test.go e2e

[FAILED] branch protection accessible patch: (-expected +actual)  utests.TestReturn{
        Error:         nil,
        Score:         1,
  -     NumberOfWarn:  3,
  +     NumberOfWarn:  6,
        NumberOfInfo:  4,
  -     NumberOfDebug: 4,
  +     NumberOfDebug: 8,
    }

This was discussed previously, but accidentally reverted Signed-off-by: Spencer Schrock <[email protected]>

This reverts commit 00acf66. Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>

this was previously included by the old evaluation code Signed-off-by: Spencer Schrock <[email protected]>

requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN now it only gives 1 WARN Signed-off-by: Spencer Schrock <[email protected]>

Signed-off-by: Spencer Schrock <[email protected]>

spencerschrock · 2024-02-27T23:41:20Z

/scdiff generate Branch-Protection

github-actions · 2024-02-27T23:41:33Z

Here's a link to the scdiff run

raghavkaul

93fbbc1-f706b69 LGTM.

* 🌱 Add branch protection evaluation Signed-off-by: Adam Korczynski <[email protected]> * make helper for getting the branchName Signed-off-by: Adam Korczynski <[email protected]> * move check for branch name Signed-off-by: Adam Korczynski <[email protected]> * define size of slice Signed-off-by: Adam Korczynski <[email protected]> * add probe for protected branches. Signed-off-by: Adam Korczynski <[email protected]> * change 'basicNonAdminProtection' to 'deleteAndForcePushProtection' Signed-off-by: Adam Korczynski <[email protected]> * fix markdown in text field in def.yml Signed-off-by: Adam Korczynski <[email protected]> * remove duplicate conditional Signed-off-by: Adam Korczynski <[email protected]> * remove redundant 'protected' value from 'requiresCodeOwnersReview' probe Signed-off-by: Adam Korczynski <[email protected]> * remove protected values from probes Signed-off-by: Adam Korczynski <[email protected]> * Bring back negative outcome in case of 0 codeowners files Signed-off-by: Adam Korczynski <[email protected]> * log based on whether branches are protected Signed-off-by: Adam Korczynski <[email protected]> * remove unnecessary test Signed-off-by: Adam Korczynski <[email protected]> * debug failing tests Signed-off-by: Adam Korczynski <[email protected]> * Fix failing tests Signed-off-by: Adam Korczynski <[email protected]> * rename test Signed-off-by: Adam Korczynski <[email protected]> * update to with latest upstream changes Signed-off-by: AdamKorcz <[email protected]> * fix linting issues Signed-off-by: AdamKorcz <[email protected]> * remove tests that represent impossible scenarios Signed-off-by: AdamKorcz <[email protected]> * remove protected finding value This was discussed previously, but accidentally reverted Signed-off-by: Spencer Schrock <[email protected]> * Revert "debug failing tests" This reverts commit 00acf66. Signed-off-by: Spencer Schrock <[email protected]> * use branchName key for branch name Signed-off-by: Spencer Schrock <[email protected]> * include number of reviews in INFO this was previously included by the old evaluation code Signed-off-by: Spencer Schrock <[email protected]> * reduce info count by 1 requiring codeowners without a corresponding file used to give 1 INFO and 1 WARN now it only gives 1 WARN Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Adam Korczynski <[email protected]> Signed-off-by: AdamKorcz <[email protected]> Signed-off-by: Spencer Schrock <[email protected]> Co-authored-by: Spencer Schrock <[email protected]>

AdamKorcz requested a review from a team as a code owner December 29, 2023 19:33

AdamKorcz requested review from spencerschrock and laurentsimon and removed request for a team December 29, 2023 19:33

AdamKorcz temporarily deployed to gitlab December 29, 2023 19:33 — with GitHub Actions Inactive

AdamKorcz temporarily deployed to integration-test December 29, 2023 19:33 — with GitHub Actions Inactive