Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new "mergeable" apply requirement #43

Closed
atlantisbot opened this issue Mar 6, 2018 · 14 comments
Closed

Add new "mergeable" apply requirement #43

atlantisbot opened this issue Mar 6, 2018 · 14 comments
Labels
feature New functionality/enhancement

Comments

@atlantisbot
Copy link

Issue by @lkysow
Thursday Nov 30, 2017 at 06:54 GMT
Migrated from hootsuite/atlantis#210
Why was it migrated?

image

GitHub has lots of branch protections that we could support in Atlantis by requiring them to "pass" before we allow apply's. Right now you can specify --require-approval but this only looks for an approval, not necessarily the type of approval specified in the branch protections.

  • The API for branch protections is here: https://developer.github.com/v3/repos/branches/
  • We'd have to decide which ones to support (might be all of them)
  • The benefit here would be that there's more configuration available around who can apply
@atlantisbot
Copy link
Author

Comment by @mechastorm
Wednesday Jan 10, 2018 at 21:10 GMT

This will be especially useful for scenarios where we want to allow direct applies for lower environments but still want strict approvals for production environments.

@atlantisbot
Copy link
Author

Comment by @matthiasr
Friday Feb 16, 2018 at 09:09 GMT

As an alternative to explicitly supporting (and tracking) all the possible permutations of settings, could the condition simply be "branch can be merged"? That way GitHub will do the hard work and the status will be obvious from the PR itself.

@atlantisbot
Copy link
Author

Comment by @lkysow
Sunday Feb 18, 2018 at 06:57 GMT

@matthiasr thank you! That's a great idea. I just tested it out and the field mergeable_state is what we need to check if the protected branch restrictions are passing. It looks like it gets set to blocked if they're not passing and clean if they are.

The only tricky thing is that some people were asking me to have Atlantis set a status on the pull request to "not passing" until any pending apply's are applied. This would prevent the PR from being merged until the apply is complete. This would need to be configurable of course.

If people wanted both, we'd have to do something like checking if all the statuses were passing except for our special "pending apply's" status and then enable the apply.

@atlantisbot
Copy link
Author

Comment by @grobie
Tuesday Feb 27, 2018 at 16:31 GMT

From a security perspective I don't that proposed shortcut makes sense. An attacker gaining access to a Github account with admin capabilities could simply turn off all the branch protection features and the PR state will become passing.

IMO Atlantis should verify that all the branch protection features are enabled before running apply.

@atlantisbot
Copy link
Author

Comment by @matthiasr
Tuesday Feb 27, 2018 at 16:32 GMT

How does Atlantis know which features are desired/required to be enabled?

@atlantisbot
Copy link
Author

Comment by @matthiasr
Tuesday Feb 27, 2018 at 16:34 GMT

(My reading of the issue was that this is about checking which branch protections are set in GitHub and honoring them, not about enforcing that certain protections are set)

@atlantisbot
Copy link
Author

Comment by @grobie
Tuesday Feb 27, 2018 at 16:40 GMT

In order to be able to enforce that e.g. a change gets approval from a second person before being applied, these two things can't be separated. Atlantis would need to be configured (via flags or protected atlantis.yml) to verify that both certain protection settings are set and fulfilled. Otherwise a single compromised account (or evil employee) could simply disable all checks and cause Atlantis to apply changes.

@atlantisbot
Copy link
Author

Comment by @majormoses
Tuesday Feb 27, 2018 at 17:03 GMT

@grobie true it does pose a risk and I agree we could make it harder for an attacker but at the end of the day if someone is an admin in github they probably also have access to the other repo that would generate the server side atlantis.yaml. That being said I generally see security in forms of layers and I think we should support all the branch protection options from github and allow defining server side if you want say 2 approvals before atlantis will apply. This is the best of both worlds.

@atlantisbot atlantisbot mentioned this issue Mar 6, 2018
Closed
@lkysow lkysow added this to the 0.4 milestone Mar 15, 2018
@mwarkentin
Copy link
Contributor

Github has support for requiring multiple approvals now (but doesn't change what most of this discussion is about).

@lkysow lkysow changed the title Use GitHub protected branches to gate atlantis apply's Add new "mergeable" apply requirement Aug 2, 2018
@lkysow lkysow removed this from the 0.4 milestone Aug 4, 2018
@majormoses majormoses mentioned this issue Oct 17, 2018
Closed
@osterman osterman mentioned this issue Oct 18, 2018
Closed
@majormoses majormoses mentioned this issue Oct 21, 2018
Open
@majormoses majormoses mentioned this issue Nov 8, 2018
Open
@sstarcher
Copy link

We we prefer to implement this by adding a new flag or by modifying the existing logic of --require-approval

@majormoses
Copy link
Contributor

I can see it both ways, technically I think they should be two separate options as there are other branch protections in play such as repo not being up to date, signed commits, etc. Only downside I can see of this is if someone specified say --no-require-approval and --require-mergable on the same line but we could throw a useful validation error. This also maintains backwards compatibility. Just my $0.02

@sstarcher
Copy link

Another question arrises as this implementation is github specific if someone specified --require-mergable would we throw an error on any non-github VCS or would we ignore the setting for those VCS's?

@majormoses
Copy link
Contributor

From what I recall gitlab also has it, I could be wrong though.

@brndnmtthws brndnmtthws mentioned this issue Dec 11, 2018
Merged
@brndnmtthws
Copy link

If anyone wants to test #385 and provide any feedback, that would be great :)

brndnmtthws pushed a commit to brndnmtthws/atlantis that referenced this issue Dec 11, 2018
Add mergeable requirement.
e001353 
Introduce new `mergeable` requirement, in similar vein to the `approved`
requirement. Ran `make go-generate` to update mocks accordingly.

This addresses issue runatlantis#43.
@lkysow lkysow mentioned this issue Dec 12, 2018
Merged
@mwarkentin mwarkentin mentioned this issue Feb 26, 2019
Closed
@lkysow lkysow added the feature New functionality/enhancement label Apr 9, 2019
nishkrishnan added a commit that referenced this issue Feb 22, 2021
@nishkrishnan
Support pre-workflow hooks on all comment/auto triggered commands. (#43
8598c37 
…) (#1418)

Fixes pre-workflow-hooks not logging errors #1371
Prevents pre-workflow-hook from locking and cloning the dir if there are no hooks registered. #1342
meringu pushed a commit to meringu/atlantis that referenced this issue May 29, 2023
@lkysow
Comment on closed PR with locks/plans cleaned (runatlantis#43)
e03775d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New functionality/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mwarkentin @lkysow @brndnmtthws @majormoses @sstarcher @atlantisbot