Github SafeSettings invokes DELETE API on incorrect settings

[sajithvasu]

Hello,

Github Safesettings calls the DELETE api to remove all the repositories when you add incorrect config in the settings.yml file. Error seems to be bit concerning as it calls delete api. Also, the error states that it will remove the repo on Mon, 01 Feb 2021.

Sanitized logs: ←[92mxxxx-safesettings-←[0m ←[32mxxxx-safesettings←[0m [@octokit/request] "DELETE https://api.github.com/teams/5430398/repos/{org}/{repo}" is deprecated. It is scheduled to be removed on Mon, 01 Feb 2021 00:00:00 GMT. See https://developer.github.com/changes/2020-01-21-moving-the-team-api-endpoints/ ←[92mxxxx-safesettings←[0m ←[32mxxxx-safesettings←[0m error calling find for Teams HttpError: You cannot remove repositories from a security manager team. for repo: {"owner":"{org}","repo":"{repo}","branch":"main","required_pull_request_reviews":{"required_approving_review_count":1},"enforce_admins":null,"restrictions":null,"headers":{"accept":"application/vnd.github.hellcat-preview+json,application/vnd.github.luke-cage-preview+json,application/vnd.github.zzzax-preview+json"}} entries [{"name":"security-reader","permission":"security-scan-reviewer"}]

settings.yml:

repository:
teams:
  - name: security-reader
    permission: security-scan-reviewer
branches:  
  - name: default
    protection:      
      required_pull_request_reviews:
        required_approving_review_count: 1
      enforce_admins: 
      restrictions:

Note: We are building the docker image from the dockerFile provided in this repo and running the app on AKS platform.

Is this a bug within the code?

[anderssonjohan]

About the deprecation message. This is because the now deprecated URL route is used for PUT/DELETE requests in teams.js: https://github.com/github/safe-settings/blob/15518fe7f14facf82138844948ac6ad20330ecfb/lib/plugins/teams.js#L3-L5

This can now safely be updated to use the new URL pattern made available in GHES 2.21: https://docs.github.com/en/enterprise-server@2.21/rest/reference/teams#add-or-update-team-repository-permissions

Old still used in 2.20: https://docs.github.com/en/enterprise-server@2.20/rest/reference/teams#add-or-update-team-repository-permissions

I don't know about the deprecation policy for this project but GHES 3.3 was just deprecated, so this is really old stuff.

I want to point out that the old endpoints still work, but it's a bit dissatisfying with the deprecating date (2021!).

EDIT: The proper way is probably to revert this commit and use the octokit provided functions instead of making the requests to the deprecated teams api: https://github.com/github/safe-settings/commit/3f63f4bb2630e64e3b6fc9c78d3e7fc7ca1807c3#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519

[nikhil-nomula]

@anderssonjohan is this a bug with the log message. If so, do we know when this can be fixed?

[nikhil-nomula]

Hi @sajithvasu, we are running into the same log message.

Can you please let us know if you are still running into this issue? And did your repository actually get deleted