search

NickLiffen / ghas-enablement

A tool that aims to bulk automates the enablement of GitHub Code Scanning, Secret Scanning and Dependabot across multiple repositories.
152 stars 52 forks source link

Support public repositories with `secretscanning`, or `pushprotection` #72

Open timja opened 2 years ago

timja commented 2 years ago

I hit a few issues when trying to run this repo.

  1. repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos
  2. Public repositories were filtered out with no option to enable it on
  3. Advanced security was force enabled when secretscanning or pushprotection was enabled but public repositories always have AS enabled this caused the script to error out.

Error:

    data: {
      message: 'Advanced security is always available for public repos',
      documentation_url: 'https://docs.github.com/rest/reference/repos#update-a-repository'
    }

My diff to make this work:

diff --git a/src/utils/paginateQuery.ts b/src/utils/paginateQuery.ts
index 804cfc7..6704887 100644
--- a/src/utils/paginateQuery.ts
+++ b/src/utils/paginateQuery.ts
@@ -64,18 +64,13 @@ const getRepositoryInOrganizationPaginate = async (
       const languageCheck = process.env.LANGUAGE_TO_CHECK
         ? name.toLocaleLowerCase() === `${process.env.LANGUAGE_TO_CHECK}`
         : true;
-      const publicRepoCheck =
-        process.env.GHES === "true"
-          ? true
-          : visibility === "PRIVATE" || visibility === "INTERNAL"
-          ? true
-          : false;
+      const publicRepoCheck = visibility === "PRIVATE" || visibility === "INTERNAL"
+          ? false
+          : true;
       return (viewerPermission === "ADMIN" || viewerPermission === null) &&
         isArchived === false &&
         languageCheck &&
-        publicRepoCheck
-        ? true
-        : false;
+        publicRepoCheck;
     });

     inform(
diff --git a/src/utils/worker.ts b/src/utils/worker.ts
index 9a047ec..734a33a 100644
--- a/src/utils/worker.ts
+++ b/src/utils/worker.ts
@@ -8,7 +8,7 @@ import { createPullRequest } from "./createPullRequest.js";
 import { writeToFile } from "./writeToFile.js";
 import { restClient as octokit } from "./clients";
 import { commitFileMac } from "./commitFile.js";
-import { enableGHAS } from "./enableGHAS.js";
+//import { enableGHAS } from "./enableGHAS.js";
 import { enableDependabotAlerts } from "./enableDependabotAlerts";
 import { enableDependabotFixes } from "./enableDependabotUpdates";
 import { enableIssueCreation } from "./enableIssueCreation";
@@ -49,9 +49,9 @@ export const worker = async (): Promise<unknown> => {
       const [owner, repo] = repoName.split("/");

       // If Code Scanning or Secret Scanning need to be enabled, let's go ahead and enable GHAS first
-      enableCodeScanning || enableSecretScanning
+      /*enableCodeScanning || enableSecretScanning
         ? await enableGHAS(owner, repo, client)
-        : null;
+        : null;*/

       // If they want to enable Dependabot, and they are NOT on GHES (as that currently isn't GA yet), enable Dependabot
       enableDependabot && process.env.GHES != "true"

Anyway thanks for the repo saved me time and it's all working with my hacks

NickLiffen commented 2 years ago

Thank you for this feedback 🙇

I am keen for your thoughts on how we could improve this:

repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos

The reason for this is we had people committing in large files of repos and we got feedback that this was 💩. So We changed it to stop that. Was the README.md not clear enough? I do want to make this experience better.

Are you a GHES (enterprise server) customer? Or a GHEC customer? The reason I ask is this:

Public repositories were filtered out with no option to enable it on

For GHEC (github.com) everything should automatically be enabled? 👀 so you shouldn't need to enable for any public repos? 🤔

What were you looking to do.

Thanks for the feedback @timja 🙇 I would love to make this better and if there was a bug happy to make changes to get it working.

timja commented 2 years ago

I am keen for your thoughts on how we could improve this:

There is soo much text in the README.

I skipped passed the instructions and went to this step where I could start copying commands: https://github.com/NickLiffen/ghas-enablement#set-up-instructions

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos.

Are you a GHES (enterprise server) customer? Or a GHEC customer? The reason I ask is this:

Cloud

everything should automatically be enabled What were you looking to do

Push protection and secret scanning is not enabled automatically for public repos. There is a setting to enable it for new ones but no setting to do it retroactively. Sales / account team pointed us at your repo, (which worked perfectly after my hacks)

Note: As shown in the error you do not need to explicitly enable advanced security, but you still do need to enable the features

NickLiffen commented 2 years ago

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos.

Will add this to the backlog 👍

Push protection and secret scanning is not enabled automatically for public repos.

hmmm 🤔 I know push protection is but secret scanning should be 🤔 anyway, thanks for the feedback 👍 you obviously ran into a bug, thanks for logging it 👍 I am working on another feature here, but after that will get around to fixing both these problems 🙇

NickLiffen commented 2 years ago

Hey @timja 👋

Just wanted to let you know I fixed this problem:

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos. repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos

I am now going to take a look at this:

Public repositories were filtered out with no option to enable it on Advanced security was force enabled when secretscanning or pushprotection was enabled but public repositories always have AS enabled this caused the script to error out.

Will try and have something done by EOW. I will leave this issue open until both are fixed 👍