search

eclipse-csi / otterdog

OtterDog is a tool to manage GitHub organizations at scale using a configuration as code approach. It is actively used by the Eclipse Foundation to manage its numerous projects hosted on GitHub.
https://otterdog.readthedocs.org
Eclipse Public License 2.0
24 stars 4 forks source link

Conflict between org workflow configuration and repo configuration: actions_can_approve_pull_request_reviews #166

Closed eclipse-csi-bot closed 10 months ago

eclipse-csi-bot commented 11 months ago

In GitLab by @heurtemattes on Jan 4, 2024, 09:26

Org https://github.com/eclipse-symphony have this workflow configuration: 

    workflows+: {
      actions_can_approve_pull_request_reviews: false,
    },

Applying first PR on self-service project, no errors appeared.

With this configuration: 

    orgs.newRepo('symphony') {
      description: "Symphony project",
    },

Applying with locally with otterdog show a 409 code error 

  File "/home/heurtemattes/workspace/workspace-otterdog/otterdog/otterdog/providers/github/rest/repo_client.py", line 970, in update_workflow_settings
    self._update_default_workflow_permissions(org_id, repo_name, default_permission_data)
  File "/home/heurtemattes/workspace/workspace-otterdog/otterdog/otterdog/providers/github/rest/repo_client.py", line 1049, in _update_default_workflow_permissions
    raise RuntimeError(
RuntimeError: failed updating default workflow permissions for repo 'eclipse-symphony/symphony'
409: {"message":"Conflict","errors":"The organization does not allow GitHub Actions to create or approve pull requests","documentation_url":"https://docs.github.com/rest/actions/permissions#set-default-workflow-permissions-for-a-repository"}
╷
│ Error: failed updating default workflow permissions for repo 'eclipse-symphony/symphony'
│
│    409: {"message":"Conflict","errors":"The organization does not allow GitHub Actions to create or approve pull requests","documentation_url":"https://docs.github.com/rest/actions/permissions#set-default-workflow-permissions-for-a-repository"}

Repository is created correctly, with right configuration from org configuration.

As a workaround I propose to push configuration in project like: 

    orgs.newRepo('symphony') {
      description: "Symphony project",
      workflows+: {
        actions_can_approve_pull_request_reviews: false,
      },
    },

Maybe implements a rule for checking that org configuration. WDYT?

eclipse-csi-bot commented 11 months ago

In GitLab by @netomi on Jan 4, 2024, 09:29

This is related to https://gitlab.eclipse.org/eclipsefdn/security/otterdog/-/issues/161, where we need to ensure that all organization wide settings are coerced correctly on repo level.

eclipse-csi-bot commented 11 months ago

In GitLab by @netomi on Jan 4, 2024, 09:30

As a quick fix I will add a validation rule for that.

eclipse-csi-bot commented 11 months ago

In GitLab by @heurtemattes on Jan 4, 2024, 09:33

marked this issue as related to #161

eclipse-csi-bot commented 11 months ago

In GitLab by @netomi on Jan 4, 2024, 09:43

mentioned in commit 650f0d8473a2bf09ecba115eb8dc3ae2df15274c

eclipse-csi-bot commented 11 months ago

In GitLab by @netomi on Jan 4, 2024, 09:43

Added a validation rule and correctly coerce the setting if it is set to enabled on repo level but disabled on org level.

eclipse-csi-bot commented 11 months ago

In GitLab by @netomi on Jan 4, 2024, 09:45

So you can push the change to the repo so that the warning will not show up, but it is not strictly necessary.

eclipse-csi-bot commented 11 months ago

In GitLab by @heurtemattes on Jan 4, 2024, 10:37

I think your fix is fine. I leave it like that.