search

mszostok / codeowners-validator

The GitHub CODEOWNERS file validator
Apache License 2.0
217 stars 47 forks source link

Owners check does not support child teams with inherited repo perms #40

Closed liamfd closed 3 years ago

liamfd commented 4 years ago

Description

When running the "owners" check on a child GitHub team which has inherited its repo perms from a parent, the GitHub action reports:

Team "engineering-foo" does not exist in organization "some-org" or has no permissions associated with the repository.

I took a look through the code, and I think the issue comes down to the generation of the teams list here. That appears to be making a call to the /repos/{owner}/{repo}/teams GitHub API endpoint, which, as far as I can tell, does not return teams that have inherited their repo permissions from another team.

This is for version 4.0 of this repo.

Expected result

This is a team that has access to the repo (indirectly), so I'd expect it the "owners" check to pass.

Actual result

The "owners" check fails with the error message above.

Steps to reproduce

I've created an example PR here: https://github.com/test-verify-codeowners/owners-bug/pull/1.

For posterity, to setup that org, I:

  1. Created it, added a repo, and added the parent-team team
  2. Created child-team-inherit which just inherits parent-team's perms, and a child-team-override, where I overwrote the inherited perms to explicitly give it access (described in the workaround section below.)
  3. Added the appropriate personal access token to the orgs' secrets.
  4. Made the changes visible in that PR and opened the PR (more info in that PR's description).

Troubleshooting

Curling the repos endpoint with curl -H "Authorization: token <token>" https://api.github.com/repos/test-verify-codeowners/owners-bug/teams gives us:

[
  {
    "name": "parent-team",
    "id": 3934999,
    "node_id": "MDQ6VGVhbTM5MzQ5OTk=",
    "slug": "parent-team",
    "description": "",
    "privacy": "closed",
    "url": "https://api.github.com/organizations/68017749/team/3934999",
    "html_url": "https://github.com/orgs/test-verify-codeowners/teams/parent-team",
    "members_url": "https://api.github.com/organizations/68017749/team/3934999/members{/member}",
    "repositories_url": "https://api.github.com/organizations/68017749/team/3934999/repos",
    "permission": "pull",
    "parent": null
  },
  {
    "name": "child-team-override",
    "id": 3935004,
    "node_id": "MDQ6VGVhbTM5MzUwMDQ=",
    "slug": "child-team-override",
    "description": "This one also inherits, but also overrides.",
    "privacy": "closed",
    "url": "https://api.github.com/organizations/68017749/team/3935004",
    "html_url": "https://github.com/orgs/test-verify-codeowners/teams/child-team-override",
    "members_url": "https://api.github.com/organizations/68017749/team/3935004/members{/member}",
    "repositories_url": "https://api.github.com/organizations/68017749/team/3935004/repos",
    "permission": "pull",
    "parent": {
      "name": "parent-team",
      "id": 3934999,
      "node_id": "MDQ6VGVhbTM5MzQ5OTk=",
      "slug": "parent-team",
      "description": "",
      "privacy": "closed",
      "url": "https://api.github.com/organizations/68017749/team/3934999",
      "html_url": "https://github.com/orgs/test-verify-codeowners/teams/parent-team",
      "members_url": "https://api.github.com/organizations/68017749/team/3934999/members{/member}",
      "repositories_url": "https://api.github.com/organizations/68017749/team/3934999/repos",
      "permission": "pull"
    }
  }
]

Note that child-team-override's repo list is visually the same as child-team-inherit's repo list, but only parent-team and child-team-override show up in the above response.

Workarounds

We've found a workaround for this, which is to manually give the child teams perms on the repo in question.

  1. Go to the team's repository settings (e.g. https://github.com/orgs/test-verify-codeowners/teams/child-team-override/repositories.

  2. Find the repo in question

  3. Open its permissions dropdown and select the level of perms you want to give it (which should already be selected).

    image

It will look basically the same, but it you cURL the endpoint again, it should now show up in the response, and the action will work.

Potential Solutions

I'm not really sure if this counts as a bug on your side. I haven't found any references to this behavior in the GitHub API docs, it seems strange, so it could be a bug on their end. I'm planning to reach out to GitHub support today and see what they say.

However, I thought I'd open this and see what you think (and in case others run into this issue.) If this behavior is intentional on their end (or just unlikely to change in the near future), I wonder if it would be possible to substitute calls to other endpoints. For example, hitting https://api.github.com/orgs/test-verify-codeowners/teams gives us a repositories url of https://api.github.com/organizations/68017749/team/3935001/repos for child-team-inherit, which does return the repo.

Also, thank you! This project is very helpful for us.

jspiro commented 3 years ago

I found that the tool reports this as a problem unless you explicitly add the repo to the team, even though in that situation it looks identical to inheritance–this fixes it from the tools POV.

You can then remove it after explicitly adding it, and the repo will still show up as it did before, and still show that it has a write inherited, but the tool reports the issue.

So does GitHub require you to add it explicitly or does it support inherited permissions? If the latter, then it seems like there could be an additional API lookup as a fallback?