Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Precedence order not working as expected for arrays in branch policy #722

Open
riprasad opened this issue Dec 29, 2024 · 2 comments
Open

Precedence order not working as expected for arrays in branch policy #722

riprasad opened this issue Dec 29, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@riprasad
Copy link

Problem Description

As per the README - The precedence order for settings file is repository > suborg > org (.github/repos/.yml > .github/suborgs/.yml > .github/settings.yml

However, when defining branch policies at both the suborganization and repository levels, policies that require array inputs are merged rather than being overridden.

What is actually happening

suborg/default.bpr.yml

suborgrepos:
  - '*'
  
branches:
  - name: default
    protection:
        required_pull_request_reviews: null
        required_status_checks: null
        enforce_admins: false
        restrictions:
            apps: ['app-01', 'app-02']
            users: ['user-01']
            teams: []

repos/repo.yml


branches:
  - name: default
    protection:
        required_pull_request_reviews: null
        required_status_checks: null
        enforce_admins: true
        restrictions:
            apps: ['app-03']
            users: ['user-02']
            teams: []

Properties with boolean or string input types are functioning as expected, and the values defined in the repo.yml file are being correctly applied. However, properties with array input types are being merged instead of being overridden.

For instance, the restriction being applied is:

        restrictions:
            apps: ['app-01', 'app-02', 'app-03']
            users: ['user-01', 'user-02']
            teams: []

What is the expected behavior

Only the apps and users defined in the repo.yml should be applied, while the apps and users defined the sub-org level should be ignored.

        restrictions:
            apps: ['app-03']
            users: ['user-02']
            teams: []

Error output, if available

NA

Context

Are you using the hosted instance of probot/settings or running your own?

Running Safe Settings via Github Actions

If running your own instance, are you using it with github.com or GitHub Enterprise?

github.com

Version of probot/settings

2.1.14

Version of GitHub Enterprise

NA
@riprasad riprasad added the bug Something isn't working label Dec 29, 2024
@riprasad
Copy link
Author

riprasad commented Dec 30, 2024
edited
Loading

I'm observing the same behavior with rulesets as well when overriding the bypass_actors in the repository-level settings file.

Additionally, duplicate patterns are being created because the merged config has the same pattern twice

conditions: {
      "ref_name": {
        "include": [
          "refs/heads/rhoai-*",
          "refs/heads/rhoai-*"
        ],
        "exclude": []
      }
Screenshot 2024-12-30 at 4 26 21 PM

@riprasad
Copy link
Author

I discovered that the issue stems from the way safe-settings creates the final merged config from the settings files. There's also an edge case where the API call fails due to duplicate elements in the merged config. I've filed another bug report with all the relevant details.

#723

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@riprasad