Branch protection rules are not working anymore. #625
Comments
|
I am also having this issue with branch protection rules not being applied. I modified the settings.yml many times, checked the app installation many times and it is just not working. |
|
any updates about this issue? it is a blocker on my way right now in using probot in all the repos in my organization. @travi sorry for mentioning you but I really want to know the status of this issue since it has been almost a month. Thanks! |
|
sorry for the delay in investigating this, but i can confirm that branch protection itself is working correctly. however, as a result of #591, it is more likely that applying branch protection rules will be missed since it is now only attempted after successful application of the other sections. this is especially unfortunate in the absence of #518, since it is quite difficult to understand a failure without running your own instance and having access to logs. if you are able to identify any problems with your configuration for the other sections, that is currently your best bet for unblocking branch protection settings from being applied. i hope to find some time to implement #518 soonish, which would provide far better insight into the details of config issues resulting in this blockage, but unfortunately i cannot make strong promises at this time. |
|
@travi no problem. I do not understand what you meant by "applying branch protection rules will be missed since it is now only attempted after successful application of the other sections." you mean like I have something in my configuration which is causing a problem? in this case what do you think that might be? thanks |
|
Is there a way to test a settings file? Like a github-action which parses the config in the same way as the probot-settings app. |
|
@stevie- not that I know of. @travi my minimal configuration is prepared on top of the example in the repository README. I can confirm that only settings under branch protection rules are not working. All the other sections like repo description, labels, merge preferences etc. work. How did you confirm that the branch protection rules were working on your test? Could you please share a config file? Thanks # These settings are synced to GitHub by https://probot.github.io/apps/settings/
repository:
# See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings.
# The name of the repository. Changing this will rename the repository
name: POCs
# A short description of the repository that will show up on GitHub
description: The source code for POCs.
# A URL with more information about the repository
homepage: https://example.github.io/
# A comma-separated list of topics to set on the repository
topics: poc, testing
# Either `true` to make the repository private, or `false` to make it public.
private: true
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: false
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: false
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: develop
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: false
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: true
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: false
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: false
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: false
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: false
branches:
- name: develop
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
required_pull_request_reviews:
# The number of approvals required. (1-6)
required_approving_review_count: 2
# Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# Blocks merge until code owners have reviewed.
require_code_owner_reviews: true
# Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
dismissal_restrictions:
users: []
teams: []
# Required. Require status checks to pass before merging. Set to null to disable
required_status_checks:
# Required. Require branches to be up to date before merging.
strict: true
# Required. The list of status checks to require in order to merge into this branch
contexts: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: null
# Prevent merge commits from being pushed to matching branches
required_linear_history: null
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
users: []
teams: [] |
yes, the most likely situation would be that a call to update one of the other sections in your config is failing. this would result in the call to update branch protection not happening because it is only attempted after all of the other sections complete successfully.
this is why i mentioned it being unfortunate that #518 is not in place, since that would be able to provide feedback about the failure. solving that is high on my list, but i can't promise a timeline. in my case, i had an issue with a color code for a label with leading zeros and worked around that in travi-test/.github@17dde15. i also implemented a more official fix for this in https://github.com/repository-settings/app/releases/tag/v2.0.3. in addition, i had some conflicts between my vulnerability alerts and security fixes settings, so i defined both as enabled in travi-test/.github@9265ad3 and travi-test/.github@48fb2ca.
after making the above adjustments to my account-level config that is extended by my test project, i made the following change in order to re-trigger applying the project-level config and it applied the branch protection rules successfully: travi-test/settings-test@16499fc
i'll try to update my test config to be closer to yours when i get a chance and see if it results in any errors |
there isn't currently, but it certainly could be valuable. a big part of the complexity with this is that most of the details to verify are not defined by the settings app, but rather by the APIs called by the settings app, which can change independently from the maintenance that happens within this app. if something along these lines were to be implemented, it would need to automatically account for the expectations of the APIs. currently, i believe implementing #518 would provide better ROI, so i am prioritizing that over a file validator. i'm open to input if folks have ideas around solving the latter, though. |
|
@dgokcin i just copy/pasted the config from your comment into travi-test/settings-test@05de64c and it applied successfully. i think i would recommend removing the other sections from your config file so that branches is the only section left. that should enable you to confirm if you have a problem with the branch protection section specifically or if the problem is coming from one of the other sections. assuming that confirms that branch protection is not the problem, you can then add the other sections back one by one, along with making a change to the branch protection at the same time. if the branch protection setting does not apply with adding one of the sections back to the file, that is the one causing the error. i know this is not ideal, but it is the best i can recommend until #518 is completed |
|
after a painful hour of debugging, I found the problematic line. the |
This comment was marked as off-topic.
This comment was marked as off-topic.
would you be interested in sending a PR to update that property to |
This comment was marked as off-topic.
This comment was marked as off-topic.
it is already set to true in the readme. and my proobot config worked fine for a while. than all of a sudden, the same config stopped working. I believe setting both of them false maybe is breaking something. |
|
Unfortunately, I'm not able to make it work with this The file: # These settings are synced to GitHub by https://probot.github.io/apps/settings/
repository:
# See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings.
# The name of the repository. Changing this will rename the repository
name: .github
# A short description of the repository that will show up on GitHub
description: Base repository
# A URL with more information about the repository
homepage: https://www.example.com
# A comma-separated list of topics to set on the repository
topics: settings
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: true
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: false
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: false
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: false
# Labels: define labels for Issues and Pull Requests
# If including a `#`, make sure to wrap it with quotes!
labels:
- name: type/bug
color: '#CC0000'
description: An issue with the system.
- name: type/feature
color: '#336699'
description: New functionality.
- name: low-hanging-fruit
color: '#FFC300'
description: Issues that are good for newcomers.
- name: hacktoberfest-accepted
color: '#ff0000'
description: Pull Requests accepted for Hacktoberfest.
- name: invalid
color: '#C3C3C3'
description: Not accepted or invalid for any reason.
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
- username: foo
permission: admin
- username: bar
permission: triage
- username: baaz
permission: admin
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# Please make sure the team already exist in the organization, as the repository-settings application is not creating them.
# See https://github.com/repository-settings/app/discussions/639 for more information about teams and settings
- name: core-team
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
permission: admin
- name: a-team
permission: pull
- name: b-team
permission: push
branches:
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
required_pull_request_reviews:
# The number of approvals required. (1-6)
required_approving_review_count: 1
# Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# Blocks merge until code owners have reviewed.
require_code_owner_reviews: true
# Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
dismissal_restrictions:
users: []
teams: []
# Required. Require status checks to pass before merging. Set to null to disable
required_status_checks:
# Required. Require branches to be up to date before merging.
strict: true
# Required. The list of status checks to require in order to merge into this branch
contexts: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Prevent merge commits from being pushed to matching branches
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
users: []
teams: [] |
|
what happens if you delete just the following lines? enable_automated_security_fixes: false |
Unfortunately nothing. See: https://github.com/tc-experiments/.github/blob/main/.github/settings.yml The branch protection is not created |
|
same problem here, branch protection is not created |
|
FWIW, I was able to fix the branch protection problem in my case by adjusting the default labels. I was using the label configuration exactly as is from the README from this project. This sounds pretty silly, but I tried removing the caterpillar emoji, and it seemed to have fixed the problem in my repos. Orig from README: And now: Additionally, in my case I already had all of the security settings enabled, which others mentioned was the culprit for their problems. So that didn't seem to be causing an issue for me. Hope this information is helpful to others. |
|
In my case it was definitely this setting that was malfunctioning in my repo, but perhaps also this one, the reason being (for both of them) that I am running this all on personal repositories. Hope this helps someone 💪 My tip here is to read the comments to determine whether you should be enabling a setting or not, and then also read the documentation specified in each section (that leads to github official doc websites), those helped me a lot. |
|
In another repo of mine, this was the root cause of the failure. Apparently, topics cannot have spaces in them 😬 |
|
Mmm, interestingly, I had an issue with the teams: there were teams that did not existed, and until creating them, the configuration failed. History (bottom-first):
Permalink to the settings that worked: https://github.com/tc-experiments/.github/blob/52ba68fb7d505360b0137bfd89bf68a5f6bf6d49/.github/settings.yml |
|
We see issues when we set |
|
I see the same as stevie-, branch protection works if there are no teams. Once teams are added (works fine as is), no branch protection is configured |
|
Got this to work after some debugging and a lot of testing we had to change or remove the following stuff.
Example to show what protection properties I talk about |
|
Ran into this as well. Had a team with the org prefix in settings.yml and branch protection rules after that. Neither the team, nor branch protection settings were applied, until I commented out the
@travi how do we reference a team from another org? We have multiple orgs and would like to reference teams across them. |
|
I have also spent the past day trying to figure this out but have been unsuccessful. Is it safe to assume that setting these rules is completely broken for now? |
Have you tried ex: teams:
Its very important that the .YML file is correctly structured with the right amount of indents / indentations is correct. This goes for all .yml files in my experience. |
Could you paste your full settings.yml file here and maybe I can help as I was stuck several times myself and got to solve it. |
|
A working Hopefully it helps 🤞 |
|
@kmgrime - Here is one that I've tried https://github.com/mrlesmithjr/ansible-nginx/blob/master/.github/settings.yml |
@mrlesmithjr - If this is the file you are running you don't have all the settings required in the file so it will not be parsed correctly. If you have settings that you don't use in the file, leave them empty instead of removing them. Good luck 👍 |
|
Hey everyone! I've been having this issue for the past couple of hours and it's driving me crazy so I decided to run my own instance to be able to look at logs: Aside from the already mentioned problems other users suggested like @kmgrime or @benjyiw my problem was fixed after removing the As you can see in the logs:
There might be other properties affecting your I will finally suggest to run your own instance of the bot as it helps a lot finding the particual issue in your file. There is a good guide in the Docs deploying guide
|
|
CC @travi |
|
Is there a real fix for it? I've tried all the things that people here mentioned.. but nothing works, Branch protection is not created. |
|
We had similar issues where the settings were working and then one day they stopped working for certain repos. After attempting many of the fixes suggested above, we were able to resolve our issue by omitting the |
Thank you mate, Still not working for me :/ |
Looks like I was wrong about what was happening here. Setting ---
repository:
# ...
enable_automated_security_fixes: true
enable_vulnerability_alerts: false^^ This does not work |
|
Sorry one more update. It does look like when I set both ---
repository:
# ...
enable_automated_security_fixes: false
enable_vulnerability_alerts: false^^ This also does not work. If you are going to disable security features, I would leave the To summarize:---
repository:
# ...
description: 'This has been changed' # this change will not take effect
enable_automated_security_fixes: true
enable_vulnerability_alerts: false
branches:
- name: main
protection:
# ...
required_pull_request_reviews:
required_approving_review_count: 2 # this change will not take effectNeither the description nor the branch protection gets updated. ---
repository:
# ...
description: 'This has been changed' # this change will take effect
enable_automated_security_fixes: true
enable_vulnerability_alerts: false
branches:
- name: main
protection:
# ...
required_pull_request_reviews:
required_approving_review_count: 2 # this change will not take effectThe description is updated, but the branch protection does not get updated. |
|
since the issue is open for a long time without any progress and following https://github.blog/2023-07-24-github-repository-rules-are-now-generally-available/, it seems that settings app is losing relevance :( from a quick look, rest api for ruleset is available. |
|
probably will affect the settings app |
|
guys, is settings app dead? |
looks like....... |
@electriquo This ^ |
|
Any progress of this issue? I encounter this issue as well, and couldn't solve it. The branch protection rule cannot be created by |
|
trying to clean up some duplicates, so closing this in favor of #150 short answer is that this does still work when the config is all formatted correctly and no other failures have occurred ahead of the attempt to apply the branch protection settings. #518 needs to be implemented to at least provide feedback when failures occur to give an opportunity to resolve any config problems |
Problem Description
I just created a new repository with the same config file that I use for all of my repositories and noticed that although the configs are the same, branch protection rules are not working. Any help is appreciated. To reproduce, you can try creating a new repo from the default settings in the README file. I am attaching my current config below
The text was updated successfully, but these errors were encountered: