Skip to content

🌱 Use rulesets if one exists when classic branch protection rule is inaccessible #4853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
spencerschrock merged 1 commit into from
Nov 20, 2025
Merged

🌱 Use rulesets if one exists when classic branch protection rule is inaccessible #4853

spencerschrock merged 1 commit into from
Nov 20, 2025

Conversation

@trask
Copy link
Contributor

@trask trask commented Nov 20, 2025

What kind of change does this PR introduce?

What is the current behavior?

Currently, when a classic branch protection rule is inaccessible (no special github token provided to access it):

  • When it's the default branch, it will see if there is a ruleset for the default branch and use it if one exists
  • When it's not the default branch, it will error, and you won't get a score for Branch-Protection

What is the new behavior (if this is a feature change)?**

These two behaviors match. In both cases, it will see if there is a ruleset for the branch and use it if one exists.

  • Tests for the changes have been added (for bug fixes/features)

I didn't find any existing tests for this code (either the default or non-default branch case). I can introduce if you wish.

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

Branch-Protection check now falls back to using GitHub Rulesets for non-default branches when classic branch protection rules are inaccessible (e.g., when using fine-grained access tokens without admin permissions).

@trask trask requested a review from a team as a code owner November 20, 2025 04:01
@trask trask requested review from raghavkaul and spencerschrock and removed request for a team November 20, 2025 04:01
@trask trask temporarily deployed to integration-test November 20, 2025 04:01 — with GitHub Actions Inactive
@dosubot dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Nov 20, 2025
@trask
Fallback to ruleset for non-default branches too
4e140f9 
Signed-off-by: Trask Stalnaker <trask.stalnaker@gmail.com>
@trask trask force-pushed the fallback-to-ruleset branch from 813125d to 4e140f9 Compare November 20, 2025 04:04
@trask trask temporarily deployed to integration-test November 20, 2025 04:05 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Nov 20, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.59%. Comparing base (353ed60) to head (4e140f9).
⚠️ Report is 281 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4853      +/-   ##
==========================================
+ Coverage   66.80%   69.59%   +2.78%     
==========================================
  Files         230      251      +21     
  Lines       16602    15657     -945     
==========================================
- Hits        11091    10896     -195     
+ Misses       4808     3891     -917     
- Partials      703      870     +167
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@spencerschrock
Copy link
Member

spencerschrock commented Nov 20, 2025

/scdiff generate Branch-Protection

@github-actions
Copy link

github-actions bot commented Nov 20, 2025

Here's a link to the scdiff run

spencerschrock
spencerschrock approved these changes Nov 20, 2025
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I tested this on actions/checkout with a fine grained PAT and it fixed the check.

Note to self: We already had some code duplication between setup and query, and now there's even more. It would be nice to cleanup eventually

@spencerschrock spencerschrock merged commit 41acae5 into ossf:main Nov 20, 2025
36 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

OpenSSF Scorecard
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@trask @spencerschrock