mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-12 10:55:20 +02:00
d640d72dc6
* feat: improve vulnerability reporting via GitHub issues * feat: update reports * chore: add tls cert links * only write log on error * chore: update formatting * chore: update handling of direct dependencies * chore: fix linting issue * chore: minor updates
69 lines
2.5 KiB
Go
69 lines
2.5 KiB
Go
package cmd
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/SAP/jenkins-library/pkg/log"
|
|
"github.com/SAP/jenkins-library/pkg/telemetry"
|
|
"github.com/google/go-github/v45/github"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
piperGithub "github.com/SAP/jenkins-library/pkg/github"
|
|
)
|
|
|
|
type gitHubBranchProtectionRepositoriesService interface {
|
|
GetBranchProtection(ctx context.Context, owner, repo, branch string) (*github.Protection, *github.Response, error)
|
|
}
|
|
|
|
func githubCheckBranchProtection(config githubCheckBranchProtectionOptions, telemetryData *telemetry.CustomData) {
|
|
// TODO provide parameter for trusted certs
|
|
ctx, client, err := piperGithub.NewClient(config.Token, config.APIURL, "", []string{})
|
|
if err != nil {
|
|
log.Entry().WithError(err).Fatal("Failed to get GitHub client")
|
|
}
|
|
|
|
err = runGithubCheckBranchProtection(ctx, &config, telemetryData, client.Repositories)
|
|
if err != nil {
|
|
log.Entry().WithError(err).Fatal("GitHub branch protection check failed")
|
|
}
|
|
}
|
|
|
|
func runGithubCheckBranchProtection(ctx context.Context, config *githubCheckBranchProtectionOptions, telemetryData *telemetry.CustomData, ghRepositoriesService gitHubBranchProtectionRepositoriesService) error {
|
|
ghProtection, _, err := ghRepositoriesService.GetBranchProtection(ctx, config.Owner, config.Repository, config.Branch)
|
|
if err != nil {
|
|
return errors.Wrap(err, "failed to read branch protection information")
|
|
}
|
|
|
|
// validate required status checks
|
|
for _, check := range config.RequiredChecks {
|
|
var found bool
|
|
foundContexts := []string{}
|
|
if requiredStatusChecks := ghProtection.GetRequiredStatusChecks(); requiredStatusChecks != nil {
|
|
foundContexts = requiredStatusChecks.Contexts
|
|
}
|
|
for _, context := range foundContexts {
|
|
if check == context {
|
|
found = true
|
|
}
|
|
}
|
|
if !found {
|
|
return fmt.Errorf("required status check '%v' not found among '%v' in branch protection configuration", check, strings.Join(foundContexts, ","))
|
|
}
|
|
}
|
|
|
|
// validate that admins are enforced in checks
|
|
if config.RequireEnforceAdmins && !ghProtection.GetEnforceAdmins().Enabled {
|
|
return fmt.Errorf("admins are not enforced in branch protection configuration")
|
|
}
|
|
|
|
// validate number of mandatory reviewers
|
|
if config.RequiredApprovingReviewCount > 0 && ghProtection.GetRequiredPullRequestReviews().RequiredApprovingReviewCount < config.RequiredApprovingReviewCount {
|
|
return fmt.Errorf("not enough mandatory reviewers in branch protection configuration, expected at least %v, got %v", config.RequiredApprovingReviewCount, ghProtection.GetRequiredPullRequestReviews().RequiredApprovingReviewCount)
|
|
}
|
|
|
|
return nil
|
|
}
|