-
Notifications
You must be signed in to change notification settings - Fork 12
/
repo_rules.sh
executable file
·277 lines (219 loc) · 6.27 KB
/
repo_rules.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
#!/usr/bin/env bash
set -eu
set -o pipefail
readonly PROGDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=SCRIPTDIR/.util/print.sh
source "${PROGDIR}/.util/print.sh"
function main() {
local repo token branch verbose
while [[ "${#}" != 0 ]]; do
case "${1}" in
--repo)
repo="${2}"
shift 2
;;
--token)
token="${2}"
shift 2
;;
--branch)
branch="${2}"
shift 2
;;
--verbose)
verbose=true
shift 1
;;
--help|-h)
shift 1
usage
exit 0
;;
"")
# skip if the argument is empty
shift 1
;;
*)
util::print::error "unknown argument \"${1}\""
esac
done
if [[ -z "${repo:-}" ]]; then
usage
echo
util::print::error "--repo is a required flag"
fi
if [[ -z "${token:-}" ]]; then
usage
echo
util::print::error "--token is a required flag"
fi
if [[ -z "${branch:-}" ]]; then
branch="main"
fi
if [[ ! "${repo}" =~ [a-z-]+/[a-z-]+ ]]; then
util::print::error "--repo argument must match <org>/<name> format"
fi
if rules "${token}" "${repo}" "${branch}" "${verbose}"; then
util::print::success "Valid"
else
util::print::error "Invalid"
fi
}
function usage() {
cat <<-USAGE
repo_rules.sh --repo <repo> --token <token> [OPTIONS]
Validates branch protection rules for a GitHub repository.
OPTIONS
--branch <branch> branch to check for protection rules (default: main)
--help -h prints the command usage
--repo <repo> name of the GitHub repository to check in the form <org>/<name>
--token <token> GitHub token used to check the repository
--verbose Print the JSON returned from the API
USAGE
}
function rules() {
local token repo branch verbose json
token="${1}"
repo="${2}"
branch="${3}"
verbose="${4}"
json="$(
curl "https://api.github.com/repos/${repo}/branches/${branch}/protection" \
--fail-with-body \
--show-error \
--silent \
--request GET \
--header "Accept: application/vnd.github.luke-cage-preview+json" \
--header "Authorization: token ${token}"
)"
if [[ -n "${verbose}" ]]; then
echo "${json}" | jq -r .
fi
local valid
valid=0
if ! rules::present "$(jq -r .url <<< "${json}")" "${branch}"; then
valid=1
fi
if ! rules::reviews::count "$(jq .required_pull_request_reviews.required_approving_review_count <<< "${json}")"; then
valid=1
fi
if ! rules::reviews::stale::dismiss "$(jq .required_pull_request_reviews.dismiss_stale_reviews <<< "${json}")"; then
valid=1
fi
if ! rules::reviews::codeowner "$(jq .required_pull_request_reviews.require_code_owner_reviews <<< "${json}")"; then
valid=1
fi
if ! rules::checks::strict "$(jq .required_status_checks.strict <<< "${json}")"; then
valid=1
fi
if ! rules::checks::integration "$(jq '.required_status_checks.contexts | index("Integration Tests")' <<< "${json}")"; then
valid=1
fi
if ! rules::checks::labels "$(jq '.required_status_checks.contexts | index("Ensure Minimal Semver Labels")' <<< "${json}")"; then
valid=1
fi
if ! rules::history::linear "$(jq .required_linear_history.enabled <<< "${json}")"; then
valid=1
fi
if ! rules::administrators::include "$(jq .enforce_admins.enabled <<< "${json}")"; then
valid=1
fi
if ! rules::push::force::deny "$(jq .allow_force_pushes.enabled <<< "${json}")" "${branch}"; then
valid=1
fi
if ! rules::branch::delete::deny "$(jq .allow_deletions.enabled <<< "${json}")"; then
valid=1
fi
util::print::break
return ${valid}
}
function rules::present() {
local url branch
url="${1}"
branch="${2}"
if [[ -z "${url}" || "${url}" == "null" ]]; then
util::print::error "No branch protection rules defined for ${branch} (or you do not have permission)"
fi
}
function rules::reviews::count() {
local pr_review_count
pr_review_count="${1}"
if [[ "${pr_review_count}" != "1" ]]; then
util::print::yellow 'Merging: Required approving reviews is not 1'
return 1
fi
}
function rules::reviews::stale::dismiss() {
local dismiss
dismiss="${1}"
if [[ "${dismiss}" != "true" ]]; then
util::print::yellow 'Merging: Dismiss stale pull request approvals when new commits are pushed - not enabled'
return 1
fi
}
function rules::reviews::codeowner() {
local codeowner_review
codeowner_review="${1}"
if [[ "${codeowner_review}" != "true" ]]; then
util::print::yellow 'Merging: Require review from a codeowner - not enabled'
return 1
fi
}
function rules::checks::strict() {
local status_checks
status_checks="${1}"
if [[ "${status_checks}" != "true" ]]; then
util::print::yellow 'Merging: Require status checks to pass before merge - not enabled'
return 1
fi
}
function rules::checks::integration() {
local status_checks_int
status_checks_int="${1}"
if [[ -z "${status_checks_int}" || "${status_checks_int}" == "null" ]]; then
util::print::yellow 'Merging: Required status checks do not contain Integration Tests'
return 1
fi
}
function rules::checks::labels() {
local status_checks_labels
status_checks_labels="${1}"
if [[ -z "${status_checks_labels}" || "${status_checks_labels}" == "null" ]]; then
util::print::yellow 'Merging: Required status checks do not contain "Ensure Minimal Semver Labels"'
return 1
fi
}
function rules::history::linear() {
local linear_history
linear_history="${1}"
if [[ "${linear_history}" != "true" ]]; then
util::print::yellow 'Require linear history - not enabled'
return 1
fi
}
function rules::administrators::include() {
local enforce_admins
enforce_admins="${1}"
if [[ "${enforce_admins}" != "true" ]]; then
util::print::yellow 'Enforce all restrictions for admins - not enabled'
return 1
fi
}
function rules::push::force::deny() {
local force_pushes branch
force_pushes="${1}"
branch="${2}"
if [[ "$force_pushes" != "false" ]]; then
util::print::yellow "Allow force pushes to ${branch} - enabled"
return 1
fi
}
function rules::branch::delete::deny() {
local deletions
deletions="${1}"
if [[ "$deletions" != "false" ]]; then
util::print::yellow "Allow users to delete $branch - enabled"
return 1
fi
}
main "${@:-}"