Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github_branch_protection does not enable "Require status checks to pass before merging" #880

Closed
gertjanmaas opened this issue Aug 13, 2021 · 8 comments
Labels
r/branch_protection Status: Stale Used by stalebot to clean house Type: Bug Something isn't working as documented

Comments

@gertjanmaas
Copy link

Terraform Version

➜ terraform --version
Terraform v1.0.3
on darwin_amd64
+ provider registry.terraform.io/hashicorp/github v4.13.0
+ provider registry.terraform.io/integrations/github v4.13.0

Affected Resource(s)

  • github_branch_protection

Terraform Configuration Files

resource "github_branch_protection" "main_branch" {
  repository_id  = github_repository.my_test_repo.name

  pattern                 = "main"
  enforce_admins   = true

  required_status_checks {
    strict  = true
  }

  required_pull_request_reviews {
    required_approving_review_count = 1
  }
}

Expected Behavior

"Require status checks to pass before merging" and "Require branches to be up to date before merging" options in branch protection should be enabled.

Actual Behavior

"Require status checks to pass before merging" is disabled and "Require branches to be up to date before merging" is enabled.

Steps to Reproduce

  1. Use the configuration above
  2. terraform apply

Important Factoids

We upgraded from github provider 3.0.0 to 4.13.0 a while ago and recently noticed that this configuration behaves differently.
In 3.0.0 setting strict = true in required_status_checks would enable both "Require status checks to pass before merging" and "Require branches to be up to date before merging".
In 4.13.0 it only enables "Require branches to be up to date before merging", which is weird because that option in the UI is hidden behind "Require status checks to pass before merging".

Note that the intention here is to require all status checks to pass before merging. Passing an empty contexts = [] in the required_status_checks block does not seem to help and we're applying these branch protection rules on multiple repositories where we don't know the context names.

@jcudit jcudit added Type: Bug Something isn't working as documented r/branch_protection labels Aug 31, 2021
@ShaunEgan
Copy link

Can confirm, I am experiencing the same issue with the 4.13.0 version.

@martinmigasiewicz-tomtom

I am facing this problem as well on 4.14 and realized that it works if I go back to github_branch_protection_v3.

@kfcampbell
Copy link
Member

I've confirmed this behavior. Using the above HCL produces a weird state in the GitHub UI where status checks aren't required before merging:
image

But upon clicking that checkbox, the "up to date" checkbox appears, already checked:
image

which is not the usual behavior of the checkbox when purely operating through the GitHub API.

Upon further debugging, the issue happens because ok is not returning true in this line of code. I am still unsure of what's causing it to be set that way. I've determined that it's not related to an Update call, so something weird is happening on the initial creation.

This definitely requires more investigation.

@kfcampbell
Copy link
Member

Okay! I'm back with another update on this issue. It turns out that the reason that check isn't enabled is because of the statusChecksDiffSuppression function that was created in #614 to fix #572.

I'm playing around with some solutions in #954 to see if I can fix this without causing a regression of #572.

Incidentally, I found it helpful to set up a debugger to figure out what was going on here, so I've opened #955 to document that in hopes it'll be useful for others in the future.

@kfcampbell
Copy link
Member

kfcampbell commented Oct 22, 2021

Upon further thought, I might it might be best to remove the diff suppression function wholesale (with other minor code changes).

The current behavior is incorrect, and I am unable to produce the bug in #572, which appears to be a constant spurious diff.

When strict status checks are set to true, the second apply (making no changes after the initial terraform apply) looks like this:

first_diff

Subsequent applies look like this:

second_diff

When creating branch protection rules with strict status checks, the second apply look like this:

fourth_diff

And subsequent ones look like this:

image

All applies appear correct in fuctionality, in contract to the first system. I've updated #954 to remove the diff suppresion func entirely, and I'll post these findings and mention the original authors there to see if they have comments.

@kfcampbell
Copy link
Member

I've done more extensive testing (documented here) and the fix is ready for review!

@github-actions
Copy link

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!

@github-actions github-actions bot added the Status: Stale Used by stalebot to clean house label Nov 30, 2022
@kfcampbell
Copy link
Member

Closing this issue as #954 has been merged already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
r/branch_protection Status: Stale Used by stalebot to clean house Type: Bug Something isn't working as documented
Projects
None yet
Development

No branches or pull requests

5 participants