allstar
allstar copied to clipboard
ossf
[Feature Request]: Check rulesets for branch protection rules
Currently it appears that allstar is not checking the GitHub rulesets active on a repository. Rulesets can be used to set branch protection rules on a repository and the details of it are obtained via a different API endpoint to the standard branch protection rules. This means that currently allstar can fail on branch protection rules, even when they've been implemented via rulesets.
As a user I would like allstar to check for branch protection rules from both sets of data So that I am not alerted for failing to implement branch protection when it's been implemented by a ruleset
As mentioned by @jeffmendoza I think combining the rulesets with branch protections policy makes sense as they do the same thing just in different ways.
Thanks :)
Initial question to investigate lack of checking regarding rulesets:
Hey 👋🏻
I've started to implement branch protection rules on repos via GitHub rulesets, rather than the original way of setting the protection and allstar has started raising issues saying they don't exist.
Is that because allstar isn't checking for rulesets or because I'm still missing something? I did have a little read of the repo and couldn't find specific reference. If it's not checking rulesets, will this be implemented in future?
Hi, thanks for asking! All the branch protection policy code here is from before rulesets came out. Looks like it is a separate API, and the code here does not see them.
I believe either combining ruleset checking with the current branch protection policy, or a new separate ruleset policy makes sense for Allstar. Feel free to open up a new feature-request issue (or edit this one) with any thoughts on how you would like to see it work out.
FWIW - I would vote for using the same allstar policy for both classic branch protection and rulesets. We have split use of the two features in our org and having to maintain opt-out/in lists for separate policies or forcing everyone into the same implementation would both be onerous.
