benjefferies / branch-protection-bot Goto Github PK

In the past 24 hours or so there's been an error when trying to run the Action:

This of course fails the whole workflow.

Here are the raw logs for both steps that benjefferies/[email protected] is part of:
2_Build [email protected]
11_Enable include administrators branch protection.txt

The error seems to be this:

2020-05-28T07:18:48.8729872Z �[91mERROR: Pipenv is not intended to work under the root directory, please choose another path.
2020-05-28T07:18:49.0731624Z The command '/bin/sh -c PIP_USER=1 PIP_IGNORE_INSTALLED=1 pipenv install --system --deploy --ignore-pipfile' returned a non-zero code: 1

A Github Actions run today resulted in the error described.

It seems to be a combination of the recently-released python:3.7.8-slim-stretch image (which caused an update to python:3.7-slim-stretch being used in the Dockerfile in this project) along with this stackoverflow post:
https://stackoverflow.com/questions/13967428/importerror-no-module-named-six

Easiest fix would be to revert to python:3.7.7-slim-stretch in the Dockerfile.

Running into the following issue in our CI pipeline for auto-release. It seems that typing_extensions package just needs to be added. Here is a reference I found msiemens/tinydb#413

Run benjefferies/branch-protection-bot@master
Traceback (most recent call last):
  File "/bin/run.py", line 6, in <module>
    from github3 import login
  File "/pyroot/lib/python3.7/site-packages/github3/__init__.py", line 20, in <module>
    from .api import enterprise_login
  File "/pyroot/lib/python3.7/site-packages/github3/api.py", line 9, in <module>
    from .github import GitHub
  File "/pyroot/lib/python3.7/site-packages/github3/github.py", line 8, in <module>
    from . import apps
  File "/pyroot/lib/python3.7/site-packages/github3/apps.py", line 7, in <module>
    import jwt
  File "/pyroot/lib/python3.7/site-packages/jwt/__init__.py", line 1, in <module>
    from .api_jwk import PyJWK, PyJWKSet
  File "/pyroot/lib/python3.7/site-packages/jwt/api_jwk.py", line 7, in <module>
    from .algorithms import get_default_algorithms, has_crypto, requires_cryptography
  File "/pyroot/lib/python3.7/site-packages/jwt/algorithms.py", line 27, in <module>
    from typing_extensions import Literal
c

Using set-output via stdout is now deprecated and support for it will be removed on May 31st 2023. Instead, output should be written to the file at $GITHUB_OUTPUT.

I'd be happy to make a PR for this in a day or two.

When I run this action, I see the following error in the log:

  Step 8/12 : RUN PIP_USER=1 PIP_IGNORE_INSTALLED=1 pipenv install --system --deploy --ignore-pipfile
   ---> Running in 296166cff1ec
  Installing dependencies from Pipfile.lock (cdebd1)…
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Failed to load paths: /bin/sh: 1: /root/.local/share/virtualenvs/src-iJ1xCYIx/bin/python: not found
  
  Output: 
  Removing intermediate container 296166cff1ec
   ---> 8a1e87250567
  Step 9/12 : FROM base

The action seems to work, but this error is worrying. What causes it?

I'm repeatedly seeing Build benjefferies/[email protected] taking almost a minute. Example build of 47 seconds.

Is there any way to cut down on this time? E.g. going with a prebuilt container, and/or including fewer dependencies? (sorry if those suggestions are totally useless; I neither use Docker nor Python in my day-to-day)

http://ftp.debian.org/debian/dists/stretch not exists anymore
can we upgrade to use python:3.7-slim-buster or 3.7-slim-bullseye as base in docker file

See #11

Not an issue, and excuse me if this is made clear somewhere, but it seems like this action toggles the state of the setting rather than explicitly setting it to on or off. This is probably fine in most cases but I'm worried about cases where the first step succeeds, turning the setting off, then my build exits without turning it back on. So when I go to build again, I'm flipping it from off=>on. Does this action consider this scenario and prevent unintended states of this setting?

At first let me thank you for this useful action! As I have set this up in our repository I encountered a problem which could lead into a feature request for this action.

We protect our branches based on wildcards, f.e. development/*which matches all branches starting with development/. When your branch-protection-bot action is executed it will create a new branch protection rule (based on the wildcard rules) and not updating our existing wildcard protection. When the action re-enables the 'include administrators' option it will only do it on the newly created branch protection rule.

This is not a real problem but enforces us to update all branch protection rules and not just one wildcard when we f.e. want to enforce a new status check.

I have two ideas about this:

1. Add a configuration option to support specific branch-protection rules (so we can target our wildcard-rules)
2. Add a configuration option which allows instead of toggling the state of 'include administrators' to remove the newly created branch protection rule

Would love to hear your ideas about it.

This bot is a great idea! I have been using it and it generally works well, however, when I add the rule "Require pull request reviews before merging" for master branch protection then I get an error that At least 1 approving review is required by reviewers with write access (pasted below, but for context you can see the logs here)

remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: At least 1 approving review is required by reviewers with write access. 

Would it be possible to modify the bot such that this rule is set to false as well when we disable master branch protection? I guess it would be possible, looking at the docs I see that required_pull_request_reviews can be set to NULL to do so using the branch protection API? The github3 docs here also suggest it could be done with github3.repos.branch.ProtectionRequiredPullRequestReviews?

This bot works great for just the "include administrators" part of branch protections (thanks!). But there are other branch protection settings that can be useful to remove from the default branch so that bots can push to it:

• Requiring an approving review
• Required status checks

Example build:

ERROR remote: error: GH006: Protected branch update failed for refs/heads/main.        
remote: error: At least 1 approving review is required by reviewers with write access. 10 of 10 required status checks are expected.        
To https://github.com/JoshuaKGoldberg/template-typescript-node-package
 * [new tag]         v1.24.0 -> v1.24.0
 ! [remote rejected] main -> main (protected branch hook declined)

Would you be open to expanding scope of this bot to also disable & enable those?

Hi! A couple of days the GitHub Action started to fail with the following

2020-06-06T16:38:23.6715369Z ##[group]Run benjefferies/[email protected]
2020-06-06T16:38:23.6715528Z with:
2020-06-06T16:38:23.6716100Z   access-token: ***
2020-06-06T16:38:23.6716225Z   enforce_admins: false
2020-06-06T16:38:23.6716359Z   branch: master
2020-06-06T16:38:23.6716474Z   retries: 5
2020-06-06T16:38:23.6716613Z ##[endgroup]
2020-06-06T16:38:23.6753506Z ##[command]/usr/bin/docker run --name d35c4cb2359e4743f799603dd827d62448_1d73a6 --label 3888d3 --workdir /github/workspace --rm -e INPUT_ACCESS-TOKEN -e INPUT_ENFORCE_ADMINS -e INPUT_OWNER -e INPUT_REPO -e INPUT_BRANCH -e INPUT_RETRIES -e ACCESS_TOKEN -e OWNER -e REPO -e BRANCH -e RETRIES -e ENFORCE_ADMINS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/typescript-starter/typescript-starter":"/github/workspace" 3888d3:5c4cb2359e4743f799603dd827d62448
2020-06-06T16:38:37.1376617Z Traceback (most recent call last):
2020-06-06T16:38:37.1378091Z   File "/bin/run.py", line 6, in <module>
2020-06-06T16:38:37.1386279Z     from github3 import login
2020-06-06T16:38:37.1388009Z   File "/pyroot/lib/python3.7/site-packages/github3/__init__.py", line 24, in <module>
2020-06-06T16:38:37.1388607Z     from .api import (
2020-06-06T16:38:37.1389581Z   File "/pyroot/lib/python3.7/site-packages/github3/api.py", line 13, in <module>
2020-06-06T16:38:37.1390203Z     from .github import GitHub, GitHubEnterprise
2020-06-06T16:38:37.1391157Z   File "/pyroot/lib/python3.7/site-packages/github3/github.py", line 8, in <module>
2020-06-06T16:38:37.1391683Z     import uritemplate
2020-06-06T16:38:37.1392768Z ModuleNotFoundError: No module named 'uritemplate'

The GitHub workflow remains unchanged since 12 days ago and it was working.

This works very well but shouldn't throw an error if we apply this with an unprotected branch.