github.com/SAP/jenkins-library@v1.362.0/cmd/githubCheckBranchProtection.go

github.com/SAP/jenkins-library@v1.362.0/cmd/githubCheckBranchProtection.go (about)

     1  package cmd
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"strings"
     7  
     8  	"github.com/SAP/jenkins-library/pkg/log"
     9  	"github.com/SAP/jenkins-library/pkg/telemetry"
    10  	"github.com/google/go-github/v45/github"
    11  
    12  	"github.com/pkg/errors"
    13  
    14  	piperGithub "github.com/SAP/jenkins-library/pkg/github"
    15  )
    16  
    17  type gitHubBranchProtectionRepositoriesService interface {
    18  	GetBranchProtection(ctx context.Context, owner, repo, branch string) (*github.Protection, *github.Response, error)
    19  }
    20  
    21  func githubCheckBranchProtection(config githubCheckBranchProtectionOptions, telemetryData *telemetry.CustomData) {
    22  	// TODO provide parameter for trusted certs
    23  	ctx, client, err := piperGithub.NewClientBuilder(config.Token, config.APIURL).Build()
    24  	if err != nil {
    25  		log.Entry().WithError(err).Fatal("Failed to get GitHub client")
    26  	}
    27  
    28  	err = runGithubCheckBranchProtection(ctx, &config, telemetryData, client.Repositories)
    29  	if err != nil {
    30  		log.Entry().WithError(err).Fatal("GitHub branch protection check failed")
    31  	}
    32  }
    33  
    34  func runGithubCheckBranchProtection(ctx context.Context, config *githubCheckBranchProtectionOptions, telemetryData *telemetry.CustomData, ghRepositoriesService gitHubBranchProtectionRepositoriesService) error {
    35  	ghProtection, _, err := ghRepositoriesService.GetBranchProtection(ctx, config.Owner, config.Repository, config.Branch)
    36  	if err != nil {
    37  		return errors.Wrap(err, "failed to read branch protection information")
    38  	}
    39  
    40  	// validate required status checks
    41  	for _, check := range config.RequiredChecks {
    42  		var found bool
    43  		foundContexts := []string{}
    44  		if requiredStatusChecks := ghProtection.GetRequiredStatusChecks(); requiredStatusChecks != nil {
    45  			foundContexts = requiredStatusChecks.Contexts
    46  		}
    47  		for _, context := range foundContexts {
    48  			if check == context {
    49  				found = true
    50  			}
    51  		}
    52  		if !found {
    53  			return fmt.Errorf("required status check '%v' not found among '%v' in branch protection configuration", check, strings.Join(foundContexts, ","))
    54  		}
    55  	}
    56  
    57  	// validate that admins are enforced in checks
    58  	if config.RequireEnforceAdmins && !ghProtection.GetEnforceAdmins().Enabled {
    59  		return fmt.Errorf("admins are not enforced in branch protection configuration")
    60  	}
    61  
    62  	// validate number of mandatory reviewers
    63  	if config.RequiredApprovingReviewCount > 0 && ghProtection.GetRequiredPullRequestReviews().RequiredApprovingReviewCount < config.RequiredApprovingReviewCount {
    64  		return fmt.Errorf("not enough mandatory reviewers in branch protection configuration, expected at least %v, got %v", config.RequiredApprovingReviewCount, ghProtection.GetRequiredPullRequestReviews().RequiredApprovingReviewCount)
    65  	}
    66  
    67  	return nil
    68  }