Should we validate all GitHub API responses?

[lukpueh]

In #497 we use the response of one GitHub API request as input to a subsequent request without vetting. I don't think there's a realistic exploit scenario in this case. But there might be similar cases, where the lack of validation would be more problematic.

Would it make sense to e.g. use Pydantic for all GitHub API responses? It seems to be used for some already.

[netomi]

Renaming / archiving of a repo is a special case that needs extra effort. In most other cases this is not needed imho. If the operation does not succeed it fails and the error gets propagated to the caller.

I cant recall a case where you need to double check the result of an API call after it succeeded, but if there are occasions, it would be worth to add something like that.

Using pydantic models for that would be the logical choice, they are already used for the webhook events received from GitHub. You just need to be careful that you mark fields as optional if they really are, the documentation on GitHub's side in this regard is a bit sparse, a lot is trial and error.