feature/985 branch protection checks
#1415
Conversation
|
/label Type: Feature |
|
This works in the sense that is creates and deletes branch protections 👍 However, there is something interesting happening in the diff, like so: This seems to suggest that despite not including a Not too sure how to handle this currently, but will see what I can come up with. |
TheQueenIsDead
changed the title
|
Appreciate you doing this work @TheQueenIsDead. |
|
@kfcampbell , small question from me. I've added the deprecated flag to the contexts attribute, and the process for carrying out this deprecation is usually to release a minor with the flag, and then remove the code in the next major release version. This is documented by Hashicorp here: It makes a lot of sense, but given the change to the Github go client, I cannot implement this functionality nicely without removing part of the code that flattens the context array when it reads from the API. Without that removal, subsequent applies will show the contexts array being blitzed on each plan, despite it not being defined in Terraform: ~ contexts = [
- "context_app_id_allow_all",
- "context_no_app_id_most_recent_check",
- "context_with_app_id_defined",
]The question is, would you accept the removal of As it stands, it is not possible to only send |
|
Hmm...none of those options are very desirable. I'm looking at the API reference and I see the following under
Perhaps some of that behavior is due to the API changing to deprecate contexts as well.
For a breaking change like that, we would end up cutting a v6 version, which ideally we should not do that in this PR without a deprecation notice. Do you mind explaining a little bit more about this description?
Is there a way we can handle contexts when they're present in Terraform by warning of deprecation and then formatting them into the new |
I wouldn't be suprised! As identified in a previous issue, the SDK "fully deprecated" contexts as part of this PR, while I believe the API itself still supports it momentarily:
I appreciate that, and am happy to help go down that route where possible 👍 However, it does feel a little ceremonious given
Certainly! What I am trying to highlight is that the Github API seems to return a list of I think you're right that we could simply convert contexts to checks (With a default of allow all apps, ie -1). We could possibly keep the schema and not try and map the response to a I'll have a play around :-) |
|
Hmm, super interesting. I have made a change to flatten and expand all contexts into checks, using the default -1 app_id. On initial apply, everything looks ok. When a second apply is ran, the change output looks really messy. On the third apply in a row (With no changes), Terraform detects no changes. I would have expected it to detect no changes the first time around, but I am unsure why it creates a plan like this. Full example output can be seen in this gist: Changes can be seen in the most recent commit: 567856a |
|
I have tried sorting the I also tried experimenting with I'm wondering if the 'advanced data structure' as an array is causing issues, I imagine if we used a map of strings |
* Add resource github_app_installation_repositories This resource allows multiple repositories to be passed in; which greatly improves the performance of the resource compared to the single repository version when needing to control state of multiple app installations with multiple repos, required in larger organisations. The optimisation occurs as only a single call to get the list of repos is required per installation per read, regardless of the number of respositories being added. - Add resource_github_app_installation_repositories - Add tests * Update docs and link Co-authored-by: Keegan Campbell <me@kfcampbell.com>
…g branch (integrations#1407) Co-authored-by: Keegan Campbell <me@kfcampbell.com>
…rations#1122) * feat(github_release): adding github_release resource and tests * feat(docs) adding github_release page to website docs * chore: update changelog with this pr's new resource * fix: adding node_id and release_id to resource attributes * Update CHANGELOG.md * Fix broken merge/build Co-authored-by: Keegan Campbell <me@kfcampbell.com>
Workflow changes have been made in the Octokit org repo. This PR is propagating those changes.
* Don't link to a real PR * Wording tweak
TheQueenIsDead
force-pushed
the
feature/985-branch-protection-contexts
branch
from
567856a
to
cb9c464
Compare
|
@kfcampbell , I have changed the approach from using resource blocks in the schema to instead using a list of Will update the docs soon, not terribly sure about how to approach testing. |
|
@TheQueenIsDead thank you for all your effort and clear communication! I really appreciate it.
Definitely, and there's also a chance that they haven't been exactly healthy for a long time.
Ideally, yes. We have a significant amount of testing debt to pay back on this project. I've opened #1414 to begin this effort, but it would be great to have an issue for this specific testing suite. Given the above and the substantial number of issues ready to be closed, I think it would be reasonable to merge this PR before full testing support is achieved. @TheQueenIsDead do you believe this is ready for final review/merging? |
There was a problem hiding this comment.
Hi! I'm swinging by to check on this PR again as I'm really looking forward to having it in. @TheQueenIsDead do you mind giving these questions a look when you get a chance?
…ntexts' into feature/985-branch-protection-contexts
|
Ok, so I have created a new bug report for the unmarshalling error that is causing the tests to fail for this branch #1476.
In a perfect world I think the recent go-github provider breakage would be reverted so that the tests can pass. As mentioned in the issue, it seems to have broken unmarshalling branch protection objects, so even if this PR is merged and released, users still wont be able to benefit from it! I'm happy with the changes proposed here, but I am also the author, hence the most biased party ;-) The lack of tests are the only thing making me wary however. |
This should be fixed. I believe the problem was due to this upstream issue, fixed in this google/go-github PR, released here, and added to the project as part of #1473. On the main branch, tests for this resource are failing for me as well 😭 but not for unmarshaling reasons.
I don't believe this is the case anymore! 🎉
Absolutely, I agree. However, given the resource's impaired state currently and the number of issues/engagement about it, it may be appropriate to merge this PR earlier as a mitigation and add/modify earlier content afterward. Issues saying "confusing diff" are generally better than issues saying "doesn't work" IMO. |
|
I also bumped into this one, looking forward to seeing this merged :) |
|
Apologies for the delay, I've been struggling to find time to commit to other projects.
I'll have a quick look at the tests to see if I can identify the issue and resolve it here, otherwise I'm all for merging this to give a path forwards, with room to refine later on. Pragmatism 😊 |
|
It looks like the TestAccGithubBranchProtectionV3* tests are all failing due to the fact that after an apply, there are changes present in the plan.
security_and_analysis.#: "1" => "0"
security_and_analysis.0.advanced_security.#: "1" => ""
security_and_analysis.0.advanced_security.0.status: "" => ""
security_and_analysis.0.secret_scanning.#: "1" => ""
security_and_analysis.0.secret_scanning.0.status: "disabled" => ""
security_and_analysis.0.secret_scanning_push_protection.#: "1" => ""
security_and_analysis.0.secret_scanning_push_protection.0.status: "disabled" => ""
UPDATE: github_branch_protection_v3.test
branch: "main" => "main"
enforce_admins: "false" => "false"
etag: "W/\"523f6d38db8bde2e6366e192aceef11125983f1d19d6faea81d27d4107d5aade\"" => "W/\"523f6d38db8bde2e6366e192aceef11125983f1d19d6faea81d27d4107d5aade\""
id: "tf-acc-test-sfz48:main" => "tf-acc-test-sfz48:main"
repository: "tf-acc-test-sfz48" => "tf-acc-test-sfz48"
require_conversation_resolution: "false" => "false"
require_signed_commits: "false" => "false"
required_pull_request_reviews.#: "0" => "0"
required_status_checks.#: "1" => "1"
required_status_checks.0.checks.#: "1" => "1"
required_status_checks.0.checks.0: "github/foo" => "github/foo"
required_status_checks.0.contexts.#: "1" => "0"
required_status_checks.0.contexts.0: "github/foo" => ""
required_status_checks.0.include_admins: "false" => "false"
required_status_checks.0.strict: "true" => "true"
restrictions.#: "0" => "0"I tested the branch protection creation against my own repo and it still works with the new checks object. As mentioned it has a slightly ambiguous plan for the second apply, but everything still works just fine thereafter (It seems to be a little confused about contexts vs checks initially. Github does interesting things on the backend there though, maintaining both attributes....This wont be an issue when checks is dropped). @kfcampbell I'd be happy to have this merged, and if anyone can help improve the apply flow in future, then it'd be greatly appreciated Apologies that it's not perfect, first time developing Terraform 👍 |
|
@TheQueenIsDead thank you for all the work here! I realized I merged #1489; does that affect this PR/testing scenarios at all? If you're comfortable with the current state after #1489, I'll approve/merge this and cut a release soon. |
|
Awesome, that resolves all the issues that aren't to do with I'm happy to have this merged with the goal of improving it later 👍 |
There was a problem hiding this comment.
Thanks for all the work on this, @TheQueenIsDead! I'm looking forward to having this in.
|
Any guess when we might get this in a release? :) |
|
what if my status check context includes a colon? |
|
@mbarany do you mind creating an issue for that? |
* feat: add new schema for check block resource under required_status_checks * feat: iterate provided `check` blocks and build array of RequiredStatusCheck * feat: set default app_id to -1 * feat: implement checks flattening for required status checks * Add resource github_app_installation_repositories (integrations#1376) * Add resource github_app_installation_repositories This resource allows multiple repositories to be passed in; which greatly improves the performance of the resource compared to the single repository version when needing to control state of multiple app installations with multiple repos, required in larger organisations. The optimisation occurs as only a single call to get the list of repos is required per installation per read, regardless of the number of respositories being added. - Add resource_github_app_installation_repositories - Add tests * Update docs and link Co-authored-by: Keegan Campbell <me@kfcampbell.com> * feat: adds new branch protection options for last reviewer and locking branch (integrations#1407) Co-authored-by: Keegan Campbell <me@kfcampbell.com> * feat(github_release): adding github_release resource and tests (integrations#1122) * feat(github_release): adding github_release resource and tests * feat(docs) adding github_release page to website docs * chore: update changelog with this pr's new resource * fix: adding node_id and release_id to resource attributes * Update CHANGELOG.md * Fix broken merge/build Co-authored-by: Keegan Campbell <me@kfcampbell.com> * 🚧 Workflows have changed Workflow changes have been made in the Octokit org repo. This PR is propagating those changes. * Issue template tweak (integrations#1422) * Don't link to a real PR * Wording tweak * feat: allow branch protection check app_id to be null * chore: change branch protection flatten function to use GetAppID sdk method * feat: change branch protection v3 utils to flatten and expand contexts into checks * feat: change checks from it's own resource to a list of strings * chore: resolve incorrect merge of main * chore: update deprecation notice on contexts array * chore(docs): Update branch_protection_v3 docs to mention the new `checks` functionality * fix: Initialise literal empty slice of RequiredStatusCheck to mitigate errors when passing nil to the sdk * chore(lint): resolve gosimple S1082 violation (errors.New => fmt.Errorf) * chore: remove unused code comment Co-authored-by: David Bain <97858950+david-bain@users.noreply.github.com> Co-authored-by: Keegan Campbell <me@kfcampbell.com> Co-authored-by: Sean Smith <sean@wwsean08.com> Co-authored-by: Trent Millar <trent.millar@gmail.com> Co-authored-by: Nick Floyd <139819+nickfloyd@users.noreply.github.com>
Resolves:
Behavior
Before the change?
After the change?
Other information
This should render the ability to define checks in configuration such as this:
Additional info
Pull request checklist
Does this introduce a breaking change?
Please see our docs on breaking changes to help!
Type: Breaking changelabel)If
Yes, what's the impact:Pull request type
Please add the corresponding label for change this PR introduces:
Type: BugType: FeatureType: DocumentationType: Maintenance