Merge pull request #6 from balena-io-experimental/kyle/drop-admin

Drop admin permissions from versioned source job
balena-io-experimental · Feb 2, 2024 · 9075cea · 9075cea
2 parents d638339 + 8d13738
commit 9075cea
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 193 deletions.
diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -24,36 +24,3 @@ jobs:
     secrets: inherit
     with:
       working_directory: ./tests
-      docker_images: |
-        ghcr.io/product-os/flowzone
-      balena_slugs: |
-        product_os/flowzone
-      cargo_targets: |
-        x86_64-unknown-linux-gnu,
-        armv7-unknown-linux-gnueabi,
-        aarch64-unknown-linux-gnu
-      cloudflare_website: "flowzone"
-      bake_targets: default,multiarch
-      jobs_timeout_minutes: 30
-      docker_publish_platform_tags: true
-      docker_runs_on: >
-        {
-          "linux/arm64": ["self-hosted","ARM64"],
-          "linux/arm/v7": ["self-hosted","ARM64"],
-          "linux/arm/v6": ["self-hosted","X64"]
-        }
-      # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources
-      custom_runs_on: >
-        [
-          ["ubuntu-20.04"],
-          ["ubuntu-22.04"],
-          ["macos-13"],
-          ["windows-2019"],
-          ["windows-2022"],
-          ["self-hosted"]
-        ]
-      runs_on: >
-        [
-          "self-hosted",
-          "X64"
-        ]
diff --git a/flowzone.yml b/flowzone.yml
@@ -238,8 +238,11 @@
   - &logGitHubContext
     name: Log GitHub context
     env:
+      <<: *gitHubCliEnvironment
       GITHUB_CONTEXT: ${{ toJSON(github) }}
-    run: echo "${GITHUB_CONTEXT}" || true
+    run: |
+      gh pr checks ${{ github.event.pull_request.number }} --required || true
+      echo "${GITHUB_CONTEXT}" || true
 
   - &deleteDraftGitHubRelease
     name: Delete draft GitHub release
@@ -538,61 +541,6 @@
     with:
       poetry-version: "1.5.1"
 
-  # If there are no existing protections an empty object will be returned
-  - &getBranchProtectionRules
-    name: Get branch protection rules
-    id: branch_protection
-    shell: bash --noprofile --norc -eo pipefail -x {0}
-    env:
-      <<: *gitHubCliEnvironment
-      GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
-    run: |
-      # Make the API call and get response with headers
-      full_response=$(gh api "${BRANCH_PROTECTION_URI}" -i --jq . || true)
-
-      # Separate headers and body
-      headers=$(echo "$full_response" | sed -n '/HTTP/{:start /HTTP.*\n.*/{N;b start};p}')
-      result=$(echo "$full_response" | sed -e '1,/^\r$/d')
-
-      # Extract HTTP status code
-      http_status=$(echo "$headers" | grep HTTP/ | awk '{print $2}')
-
-      message="$(echo "${result}" | jq -r .message)"
-      if ! [[ $message =~ null ]] || [[ "$http_status" != "200" ]]
-      then
-        case "${message}" in
-          "Branch not Found"|"Branch not protected")
-            echo  "::warning::${message}"
-            exit 0
-            ;;
-          *)
-            echo  "::error::${message}"
-            exit 1
-            ;;
-        esac
-      fi
-
-      echo "json=${result}" >> $GITHUB_OUTPUT
-
-      echo "required_status_checks__strict=$(jq -cr '.required_status_checks.strict // true' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_status_checks__contexts=$(jq -cr '.required_status_checks.contexts // []' <<< "${result}")" >> $GITHUB_OUTPUT
-
-      echo "required_pull_request_reviews__required_approving_review_count=$(jq -cr '.required_pull_request_reviews.required_approving_review_count // 0' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_pull_request_reviews__dismiss_stale_reviews=$(jq -cr '.required_pull_request_reviews.dismiss_stale_reviews // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_pull_request_reviews__require_code_owner_reviews=$(jq -cr '.required_pull_request_reviews.require_code_owner_reviews // false' <<< "${result}")" >> $GITHUB_OUTPUT
-
-      echo "required_pull_request_reviews__dismissal_restrictions__users=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.users // []' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_pull_request_reviews__dismissal_restrictions__teams=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.teams // []' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_pull_request_reviews__dismissal_restrictions__apps=$(jq -cr '.required_pull_request_reviews.dismissal_restrictions.apps // []' <<< "${result}")" >> $GITHUB_OUTPUT
-
-      echo "required_linear_history__enabled=$(jq -cr '.required_linear_history.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "allow_force_pushes__enabled=$(jq -cr '.allow_force_pushes.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "allow_deletions__enabled=$(jq -cr '.allow_deletions.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_conversation_resolution__enabled=$(jq -cr '.required_conversation_resolution.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "required_signatures__enabled=$(jq -cr '.required_signatures.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "enforce_admins__enabled=$(jq -cr '.enforce_admins.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-      echo "block_creations__enabled=$(jq -cr '.block_creations.enabled // false' <<< "${result}")" >> $GITHUB_OUTPUT
-
   - &sortNodeVersions
     name: Sort node versions
     id: node_versions
@@ -1047,7 +995,6 @@ jobs:
           # admin permission is currently required to bypass branch protection rules
           permissions: >-
             {
-              "administration": "write",
               "contents": "write",
               "metadata": "read",
               "pull_requests": "read"
@@ -3678,35 +3625,25 @@ jobs:
       inputs.toggle_auto_merge == true &&
       github.event.pull_request.user.type != 'Bot'
 
-    env:
-      BRANCH_PROTECTION_URI: repos/${{ github.repository }}/branches/${{ github.event.pull_request.base.ref }}/protection
-
     steps:
       - <<: *getGitHubAppToken
         with:
           <<: *getGitHubAppTokenWith
-          # avoid providing any permissions here that are able to bypass branch protections!
           permissions: >-
             {
-              "administration": "read",
               "contents": "write",
               "metadata": "read",
               "pull_requests": "write"
             }
           repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]'
 
-      - *getBranchProtectionRules
       - *isDraftPullRequest
 
       # Only toggle auto-merge if there is one or more required status checks on the branch
       - name: Toggle auto-merge
-        if: |
-          steps.is_draft_pr.outputs.result == 'false' &&
-          steps.branch_protection.outputs.json != '' &&
-          steps.branch_protection.outputs.required_status_checks__contexts != '[]'
+        if: steps.is_draft_pr.outputs.result == 'false'
         env:
           <<: *gitHubCliEnvironment
-          # DO NOT include any permissions here that would bypass branch protections!
           # DO NOT use the automatic github token (GITHUB_TOKEN) as it will not trigger merge events!
           GH_TOKEN: "${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}"
         run: |

diff --git a/tests/docker-compose.test.yml b/tests/docker-compose.test.yml