From 0dba8da367e85974270a9fcdc768f41fc41cca77 Mon Sep 17 00:00:00 2001 From: Ihor Hrytskiv Date: Tue, 3 Sep 2024 17:49:59 +0300 Subject: [PATCH 1/4] feat: Add support for code_scanning Signed-off-by: Ihor Hrytskiv --- github/repos_rules.go | 33 +++++++++++++++++++++++++++++++++ github/repos_rules_test.go | 12 ++++++++++++ 2 files changed, 45 insertions(+) diff --git a/github/repos_rules.go b/github/repos_rules.go index 3c6e8f01c92..f6eff8bdb69 100644 --- a/github/repos_rules.go +++ b/github/repos_rules.go @@ -130,6 +130,18 @@ type RequiredWorkflowsRuleParameters struct { RequiredWorkflows []*RuleRequiredWorkflow `json:"workflows"` } +// RuleRequiredCodeScanningTools represents the RequiredCodeScanningTools for the RequiredCodeScanningParameters object. +type RuleRequiredCodeScanningTools struct { + AlertsThreshold string `json:"alerts_threshold"` + SecurityAlertsThreshold string `json:"security_alerts_threshold"` + Tool string `json:"tool"` +} + +// RequiredCodeScanningRuleParameters represents the code_scanning rule parameters. +type RequiredCodeScanningRuleParameters struct { + RequiredCodeScanningTools []RuleRequiredCodeScanningTools `json:"code_scanning_tools"` +} + // RepositoryRule represents a GitHub Rule. type RepositoryRule struct { Type string `json:"type"` @@ -229,6 +241,15 @@ func (r *RepositoryRule) UnmarshalJSON(data []byte) error { bytes, _ := json.Marshal(params) rawParams := json.RawMessage(bytes) + r.Parameters = &rawParams + case "code_scanning": + params := RequiredCodeScanningRuleParameters{} + if err := json.Unmarshal(*RepositoryRule.Parameters, ¶ms); err != nil { + return err + } + bytes, _ := json.Marshal(params) + rawParams := json.RawMessage(bytes) + r.Parameters = &rawParams default: r.Type = "" @@ -406,6 +427,18 @@ func NewRequiredWorkflowsRule(params *RequiredWorkflowsRuleParameters) (rule *Re } } +// NewRequiredCodeScanningRule creates a rule to require which tools must provide code scanning results before the reference is updated. +func NewRequiredCodeScanningRule(params *RequiredCodeScanningRuleParameters) (rule *RepositoryRule) { + bytes, _ := json.Marshal(params) + + rawParams := json.RawMessage(bytes) + + return &RepositoryRule{ + Type: "code_scanning", + Parameters: &rawParams, + } +} + // NewFilePathRestrictionRule creates a rule to restrict file paths from being pushed to. func NewFilePathRestrictionRule(params *RuleFileParameters) (rule *RepositoryRule) { bytes, _ := json.Marshal(params) diff --git a/github/repos_rules_test.go b/github/repos_rules_test.go index 92f7259d0c8..fba9e62f89c 100644 --- a/github/repos_rules_test.go +++ b/github/repos_rules_test.go @@ -262,6 +262,18 @@ func TestRepositoryRule_UnmarshalJSON(t *testing.T) { }, }), }, + "Required code_scanning params": { + data: `{"type":"code_scanning","parameters":{"code_scanning_tools":[{"tool": "CodeQL", "security_alerts_threshold": "high_or_higher", "alerts_threshold": "errors"}]}}`, + want: NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), + }, "Invalid type": { data: `{"type":"unknown"}`, want: &RepositoryRule{ From b700143ee80f36237b7c5c2d480521de50de0527 Mon Sep 17 00:00:00 2001 From: Ihor Hrytskiv Date: Tue, 3 Sep 2024 18:58:27 +0300 Subject: [PATCH 2/4] PR review fixes Signed-off-by: Ihor Hrytskiv --- github/repos_rules.go | 2 +- github/repos_rules_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/github/repos_rules.go b/github/repos_rules.go index f6eff8bdb69..9acae6675c4 100644 --- a/github/repos_rules.go +++ b/github/repos_rules.go @@ -139,7 +139,7 @@ type RuleRequiredCodeScanningTools struct { // RequiredCodeScanningRuleParameters represents the code_scanning rule parameters. type RequiredCodeScanningRuleParameters struct { - RequiredCodeScanningTools []RuleRequiredCodeScanningTools `json:"code_scanning_tools"` + RequiredCodeScanningTools []*RuleRequiredCodeScanningTools `json:"code_scanning_tools"` } // RepositoryRule represents a GitHub Rule. diff --git a/github/repos_rules_test.go b/github/repos_rules_test.go index fba9e62f89c..1756fe3465c 100644 --- a/github/repos_rules_test.go +++ b/github/repos_rules_test.go @@ -265,7 +265,7 @@ func TestRepositoryRule_UnmarshalJSON(t *testing.T) { "Required code_scanning params": { data: `{"type":"code_scanning","parameters":{"code_scanning_tools":[{"tool": "CodeQL", "security_alerts_threshold": "high_or_higher", "alerts_threshold": "errors"}]}}`, want: NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ - RequiredCodeScanningTools: []RuleRequiredCodeScanningTools{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ { Tool: "CodeQL", SecurityAlertsThreshold: "high_or_higher", From 2a80399143ee2a6d12c52fff656819e6ac024a17 Mon Sep 17 00:00:00 2001 From: Ihor Hrytskiv Date: Wed, 4 Sep 2024 09:46:27 +0300 Subject: [PATCH 3/4] Add more tests Signed-off-by: Ihor Hrytskiv --- github/orgs_rules_test.go | 90 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/github/orgs_rules_test.go b/github/orgs_rules_test.go index 13d4c76da0c..566aaaad8ba 100644 --- a/github/orgs_rules_test.go +++ b/github/orgs_rules_test.go @@ -205,6 +205,18 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoNames(t *testing.T) "operator": "contains", "pattern": "github" } + }, + { + "type": "code_scanning", + "parameters": { + "code_scanning_tools": [ + { + "tool": "CodeQL", + "security_alerts_threshold": "high_or_higher", + "alerts_threshold": "errors" + } + ] + } } ] }`) @@ -292,6 +304,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoNames(t *testing.T) Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, }) if err != nil { @@ -379,6 +400,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoNames(t *testing.T) Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, } if !cmp.Equal(ruleset, want) { @@ -531,6 +561,18 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoProperty(t *testing. "operator": "contains", "pattern": "github" } + }, + { + "type": "code_scanning", + "parameters": { + "code_scanning_tools": [ + { + "tool": "CodeQL", + "security_alerts_threshold": "high_or_higher", + "alerts_threshold": "errors" + } + ] + } } ] }`) @@ -625,6 +667,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoProperty(t *testing. Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, }) if err != nil { @@ -719,6 +770,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoProperty(t *testing. Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, } if !cmp.Equal(ruleset, want) { @@ -863,6 +923,18 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoIDs(t *testing.T) { "operator": "contains", "pattern": "github" } + }, + { + "type": "code_scanning", + "parameters": { + "code_scanning_tools": [ + { + "tool": "CodeQL", + "security_alerts_threshold": "high_or_higher", + "alerts_threshold": "errors" + } + ] + } } ] }`) @@ -948,6 +1020,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoIDs(t *testing.T) { Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, }) if err != nil { @@ -1033,6 +1114,15 @@ func TestOrganizationsService_CreateOrganizationRuleset_RepoIDs(t *testing.T) { Operator: "contains", Pattern: "github", }), + NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ + RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ + { + Tool: "CodeQL", + SecurityAlertsThreshold: "high_or_higher", + AlertsThreshold: "errors", + }, + }, + }), }, } if !cmp.Equal(ruleset, want) { From ce74de3c48ba06040cef586a1853b527bd20e27b Mon Sep 17 00:00:00 2001 From: Ihor Hrytskiv Date: Thu, 5 Sep 2024 09:32:52 +0300 Subject: [PATCH 4/4] Add more tests Signed-off-by: Ihor Hrytskiv --- github/repos_rules_test.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/github/repos_rules_test.go b/github/repos_rules_test.go index db030ec959b..aafdc3ff81f 100644 --- a/github/repos_rules_test.go +++ b/github/repos_rules_test.go @@ -293,7 +293,7 @@ func TestRepositoryRule_UnmarshalJSON(t *testing.T) { }, wantErr: true, }, - "Required workflows params": { + "Valid Required workflows params": { data: `{"type":"workflows","parameters":{"workflows":[{"path": ".github/workflows/test.yml", "repository_id": 1}]}}`, want: NewRequiredWorkflowsRule(&RequiredWorkflowsRuleParameters{ RequiredWorkflows: []*RuleRequiredWorkflow{ @@ -304,7 +304,15 @@ func TestRepositoryRule_UnmarshalJSON(t *testing.T) { }, }), }, - "Required code_scanning params": { + "Invalid Required workflows params": { + data: `{"type":"workflows","parameters":{"workflows":[{"path": ".github/workflows/test.yml", "repository_id": "test"}]}}`, + want: &RepositoryRule{ + Type: "workflows", + Parameters: nil, + }, + wantErr: true, + }, + "Valid Required code_scanning params": { data: `{"type":"code_scanning","parameters":{"code_scanning_tools":[{"tool": "CodeQL", "security_alerts_threshold": "high_or_higher", "alerts_threshold": "errors"}]}}`, want: NewRequiredCodeScanningRule(&RequiredCodeScanningRuleParameters{ RequiredCodeScanningTools: []*RuleRequiredCodeScanningTools{ @@ -316,6 +324,14 @@ func TestRepositoryRule_UnmarshalJSON(t *testing.T) { }, }), }, + "Invalid Required code_scanning params": { + data: `{"type":"code_scanning","parameters":{"code_scanning_tools":[{"tool": 1}]}}`, + want: &RepositoryRule{ + Type: "code_scanning", + Parameters: nil, + }, + wantErr: true, + }, "Invalid type": { data: `{"type":"unknown"}`, want: &RepositoryRule{