-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0.17.5 removes all mergeability checks from apply, even review requirements. #1895
Comments
nevermind, I forgot to add |
sorry, this is valid. It broke running with |
Is Atlantis given permissions with admin abilities? If so, a PR is deemed I am using v0.17.5 where Atlantis does not have admin permissions, and I have The error message isn't properly reflecting it:
In this scenario, we have one approval on the pull request but it's missing an approval from the codeowner. |
the github user that atlantis is an admin, but that has not changed.
What permissions does your atlantis user have?
the |
So I believe the problem is this PR https://github.com/runatlantis/atlantis/pull/1856/files which changed to The problem is that the new check implicitly assumes that the only reason a pull request can be in a "blocked" state is because of a failing status as checked by It seems like this is hard to generally solve without totally reimplementing GitHub's logic for mergeability inside of atlantis. To solve this particular case you'd need to call the API to see if the branch is protected and has required reviews, and then if it does cross reference the reviews on the pull request to see if they satisfy the constraint. Even if you did that it wouldn't solve all the possible things GitHub protected branches can require (https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches). |
@packrat386 thanks for the research. It seems like #1856 needs to be backed out if we want the |
I've just seen this behaviour. A PR that requires a codeowner review was approved by a non codeowner (therefore not green) but he was then able to apply the change. Nothing has changed in our setup other than the upgrade last week to 0.17.5 and this has never happened before. I've nothing to add, just confirming with a screenshot. I think this should be resolved as a matter of high priority. Thanks |
I've also run into this problem, and we reverted back to the prior version as this is a required part of our workflow. I would also propose reverting #1856 until a workable solution is found |
@nishkrishnan any thoughts on @packrat386's findings here? I'm afraid this bug will block many from upgrading to newer releases. |
Another release gone by with this breaking change in place. Looking for some visibility on this @chenrui333 @lkysow @nishkrishnan |
I agree, unfortunately whatever other improvements are made, there's no way we can move forward from 17.4 with a bug that allows non approved PRs to be applied. This is a critical bug and it should be highlighted so that anyone who is unaware of it can make an informed choice about the version they are running. Is there any reason this has not simply been rolled back? |
This is correct, for our usecase we never saw this issue surface since we only use external checks.
I agree with this. We have some plans in the pipeline to play a bit nicer with githubs merge process and apply changes after a PR is merged. None of this will matter at that point. But for now, I will revert this commit. |
Community Note
Overview of the Issue
#1856 causes atlantis to completely ignore mergeability on PRs to the extent that required reviews are ignored.
Reproduction Steps
Use atlantis 0.17.5 with github
Have a CODEOWNERS setup or something that requires reviews on PRs.
Open a PR with a successful plan and a required review. Run
atlantis apply
and it will happily do the apply without the required review.Logs
Environment details
Additional Context
Everything was working fine with 0.17.4. When I upgraded to 0.17.5, I added a branch protection requirement for
atlantis/apply
on my terraform repos. Now anyone can apply anything.The text was updated successfully, but these errors were encountered: