jenkinsci / ghprb-plugin

github pull requests builder plugin for Jenkins
https://plugins.jenkins.io/ghprb/
MIT License
506 stars 612 forks source link

usage of org-list may incur github rate limit #831

Open maorfr opened 2 years ago

maorfr commented 2 years ago

when using the org-list feature of the plugin, each PR author will be checked if they are members of the organizations in that list. given that jenkins is defined as an authenticated user, the returned status will be 404 (according to https://docs.github.com/en/rest/reference/orgs#check-organization-membership-for-a-user)

this poses a problem related to github rate limit.

assuming a user like dependabot creates a lot of PRs, and for each PR we check if the user is a member of an org on the list - we will exhaust the rate limit.

even when using the conditional requests feature (for reference, we make ~100k requests to the github api per hour), this will still cause us to hit rate limit, as only a 304 return status will not count against the rate limit.

essentially this causes organizations with multiple repos to be "attacked" by simply having too many open PRs from dependabot :smile:

internal reference: https://issues.redhat.com/browse/APPSRE-4423