Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Able to apply despite GitHub's PR not being mergeable #2112

Closed
andoriyu opened this issue Mar 3, 2022 · 23 comments
Closed

Able to apply despite GitHub's PR not being mergeable #2112

andoriyu opened this issue Mar 3, 2022 · 23 comments
Labels
bug Something isn't working provider/github waiting-on-response Waiting for a response from the user

Comments

@andoriyu
Copy link

andoriyu commented Mar 3, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

Atlantis applies change set even when PR has pending CODEOWNERS reviews.

Merge button is read:
pr_merge

Mergeable_status is blocked:

  "author_association": "CONTRIBUTOR",
  "auto_merge": null,
  "active_lock_reason": null,
  "merged": false,
  "mergeable": true,
  "rebaseable": true,
  "mergeable_state": "blocked",
  "merged_by": null,

Reproduction Steps

Open a PR that requires CODEOWNERS approval.
Comment atlantis apply
Atlantis will apply plan, but fail automerge because its blocked.

Logs

Environment details

If not already included, please provide the following:

  • Atlantis version: 0.18.1
  • If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: Not yet
  • Atlantis flags: atlantis server --config /etc/atlantis/config.yaml

Atlantis server-side config file:

---
repos:
- id: /.*/
  apply_requirements: [mergeable]

Repo atlantis.yaml file:

version: 3
delete_source_branch_on_merge: true
projects:
- dir: some/project
- dir: someother/project

Additional Context

@andoriyu andoriyu added the bug Something isn't working label Mar 3, 2022
@chenrui333
Copy link
Member

@andoriyu is it similar to this issue ?

@andoriyu
Copy link
Author

andoriyu commented Mar 4, 2022

@chenrui333 Hard to tell. According to atlantis documentation, mergeable requirement includes review from CODEOWNERS already.

My issue isn't that I want PR to mergeable only after atlantis did apply, my issue is that atlantis applies unapproved changes.

@chenrui333
Copy link
Member

Got you.

@jeff-caylent
Copy link

jeff-caylent commented Mar 18, 2022

I found that adding the env var of ATLANTIS_REQUIRE_MERGEABLE=true solves the problem for me in 0.18.2, but it does not listen to [mergeable] argument in the server-side configuration YAML.

@andoriyu
Copy link
Author

@chenrui333

Noticed another thing, I was able to trigger apply as Org admin that can technically merge anytime by clicking checkbox. A regular contributor wasn't able to apply before approval. It kinda makes sense, but it still goes against what documentation (and code comments) say what should happen - can't apply before button is green.

@gwkunze
Copy link

gwkunze commented Apr 25, 2022

Ran into same issue, we have a GitHub organization with default read permissions, and have a GitHub team with write access in the CODEOWNERS file, when someone - who we thought was in the team but wasn't - approved, it did apply but afterwards automerging failed with:

merging pull request: PUT https://api.github.com/repos/redacted/redacted/pulls/14/merge: 405 At least 1 approving review is required by reviewers with write access. []

@danielgblanco
Copy link

I think there's potentially a regression after #2053

If I understand correctly, the condition in

if state == "blocked" {
would apply to a PR that's passed all checks except atlantis/apply and it'd return true for PullIsMergeable even if it hasn't been approved.

Furthermore, even if we have approved in apply_requirements, this takes in any approval not necessarily one by CODEOWNERS. So, in our setup, even with

apply_requirements: [mergeable, approved]

anyone can approve the PR and merge it, as long as the only check missing is atlantis/apply.

@danielgblanco
Copy link

danielgblanco commented May 4, 2022

I've got a workaround working using a custom apply step (we use terragrunt already so we have it configured elsewhere). We run on GitHub Enterprise hence the /api URL. Our apply steps look like this:

apply:
  steps:
    - env:
        name: TERRAGRUNT_TFPATH
        command: 'echo "terraform\${ATLANTIS_TERRAFORM_VERSION}"'
    - run: 'if curl --silent --location --request POST "https://${ATLANTIS_GH_HOSTNAME}/api/graphql" --header "Authorization: Bearer ${GH_TOKEN}" --data-raw "{\"query\":\"{repository(name:\\\"${BASE_REPO_NAME}\\\", owner:\\\"${BASE_REPO_OWNER}\\\") {pullRequest(number:${PULL_NUM}) {reviewDecision}}}\"}" | grep -q ''{"data":{"repository":{"pullRequest":{"reviewDecision":"APPROVED"}}}}''; then echo "Pull Request approved by CODEOWNERS"; else echo "Pull Request must be approved by CODEOWNERS" && false; fi'
    - run: terragrunt apply -no-color $PLANFILE

This uses the GraphQL API to query for the PR reviewDecision as documented in https://docs.github.com/en/graphql/reference/objects#pullrequest and https://docs.github.com/en/graphql/reference/enums#pullrequestreviewdecision. The PR is not in APPROVED state unless a code owner has reviewed it.

It's definitely a quick workaround and could be improved, but it saves us from having changes applied with any review (not coming from a code owner). I'd like to find some time and add this back into the codebase. Hopefully next week.

@majormoses
Copy link
Contributor

We recently upgraded to 0.19.0 and are confirming this behavior as well. We have reverted to 0.18.5 for the time being. Pushing forward to 0.19.3 still exhibits the behavior.

CVSS Score: 8.0/10

@majormoses
Copy link
Contributor

I reached out as requested to security[AT]runatlantis[DOT]io per https://github.com/runatlantis/atlantis/blob/master/SECURITY.md pointing them to this thread.

@jamengual
Copy link
Contributor

#2053 was reverted and #1968 was merged on Jan 1.

so I'm correct to think that this was introduced in another PR?

@jamengual
Copy link
Contributor

if someone has time to create a PR or look into where the issue was introduced, please let me know.

@lilincmu
Copy link
Contributor

@andoriyu

We reverted the code that caused the regression. Could you help verify if the issue is resolved in v0.19.7-pre.20220713? Thank you!

@chicocvenancio
Copy link
Contributor

Seems to me it would be better to move PullIsApproved to the graphql endpoint with reviewDecision taking codeowners into account.

@andoriyu
Copy link
Author

@lilincmu I will try to find time to test it out next week.

@chicocvenancio
Copy link
Contributor

Seems to me it would be better to move PullIsApproved to the graphql endpoint with reviewDecision taking codeowners into account.

Any chance we could go this route instead of giving up on having a way to enforce users don't merge PRs without applying?

@lilincmu
Copy link
Contributor

@chicocvenancio Unfortunately we had to revert it due to the regression. However, #2436 is another attempt to add in the feature without breaking existing use cases. It would be highly appreciated if you can share your knowledge there. Hopefully, we can get it right this time 🤞

@jamengual
Copy link
Contributor

is this still happening with v0.19.8?

@jamengual jamengual added the waiting-on-response Waiting for a response from the user label Aug 26, 2022
@github-actions github-actions bot added the Stale label Oct 4, 2022
@majormoses
Copy link
Contributor

I will see if I can test this in our org.

@github-actions github-actions bot removed the Stale label Oct 7, 2022
@Roberdvs
Copy link

Roberdvs commented Oct 17, 2022

This seems to have been fixed for us. Previously it was possible to run atlantis apply with anyone's approval on a PR even if CODEOWNERS approval was required in the branch protection but now Atlantis properly prevents the apply from executing.

Info from our environment in case it helps anyone:

  • Updated Atlantis to v0.20.1
  • Atlantis server side config with apply_requirements: [approved, mergeable]
  • GitHub branch protection with Require review from Code Owners enabled.
  • GitHub branch protection with Require status checks to pass before merging including atlantis/plan and atlantis/apply status checks.
    • ATLANTIS_GH_ALLOW_MERGEABLE_BYPASS_APPLY set to true in order to work with the atlantis/apply status check.
  • Updated GitHub app permissions to include Administration -> read as commented here
    • Otherwise Atlantis fails with "unable to get pull request status: fetching mergeability status for repo: omitted, and pull number: omitted: getting pull request status: getting required status checks: GET https://api.github.com/repos/omitted/omitted/branches/main/protection: 403 Resource not accessible by integration []

@nitrocode
Copy link
Member

@Roberdvs

Make sure to change ATLANTIS_GH_MERGEABLE_BYPASS_APPLY to ATLANTIS_GH_ALLOW_MERGEABLE_BYPASS_APPLY

ref: https://www.runatlantis.io/docs/server-configuration.html#gh-allow-mergeable-bypass-apply

@Roberdvs
Copy link

Roberdvs commented Oct 17, 2022

@Roberdvs

Make sure to change ATLANTIS_GH_MERGEABLE_BYPASS_APPLY to ATLANTIS_GH_ALLOW_MERGEABLE_BYPASS_APPLY

ref: runatlantis.io/docs/server-configuration.html#gh-allow-mergeable-bypass-apply

I actually realized earlier and made this other comment about it and still pasted here the wrong name 🤦🏻‍♂️ . Edited now, thanks! 😄

@nitrocode
Copy link
Member

I'm closing this for now since this seems fixed with the new flag mentioned above. Please use that flag with the latest version to see if it works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working provider/github waiting-on-response Waiting for a response from the user
Projects
None yet
Development

No branches or pull requests