Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support public repositories with secretscanning, or pushprotection #72

Open
timja opened this issue May 26, 2022 · 4 comments
Open

Support public repositories with secretscanning, or pushprotection #72

timja opened this issue May 26, 2022 · 4 comments

Comments

@timja
Copy link
Contributor

timja commented May 26, 2022

I hit a few issues when trying to run this repo.

  1. repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos
  2. Public repositories were filtered out with no option to enable it on
  3. Advanced security was force enabled when secretscanning or pushprotection was enabled but public repositories always have AS enabled this caused the script to error out.

Error:

    data: {
      message: 'Advanced security is always available for public repos',
      documentation_url: 'https://docs.github.com/rest/reference/repos#update-a-repository'
    }

My diff to make this work:

diff --git a/src/utils/paginateQuery.ts b/src/utils/paginateQuery.ts
index 804cfc7..6704887 100644
--- a/src/utils/paginateQuery.ts
+++ b/src/utils/paginateQuery.ts
@@ -64,18 +64,13 @@ const getRepositoryInOrganizationPaginate = async (
       const languageCheck = process.env.LANGUAGE_TO_CHECK
         ? name.toLocaleLowerCase() === `${process.env.LANGUAGE_TO_CHECK}`
         : true;
-      const publicRepoCheck =
-        process.env.GHES === "true"
-          ? true
-          : visibility === "PRIVATE" || visibility === "INTERNAL"
-          ? true
-          : false;
+      const publicRepoCheck = visibility === "PRIVATE" || visibility === "INTERNAL"
+          ? false
+          : true;
       return (viewerPermission === "ADMIN" || viewerPermission === null) &&
         isArchived === false &&
         languageCheck &&
-        publicRepoCheck
-        ? true
-        : false;
+        publicRepoCheck;
     });

     inform(
diff --git a/src/utils/worker.ts b/src/utils/worker.ts
index 9a047ec..734a33a 100644
--- a/src/utils/worker.ts
+++ b/src/utils/worker.ts
@@ -8,7 +8,7 @@ import { createPullRequest } from "./createPullRequest.js";
 import { writeToFile } from "./writeToFile.js";
 import { restClient as octokit } from "./clients";
 import { commitFileMac } from "./commitFile.js";
-import { enableGHAS } from "./enableGHAS.js";
+//import { enableGHAS } from "./enableGHAS.js";
 import { enableDependabotAlerts } from "./enableDependabotAlerts";
 import { enableDependabotFixes } from "./enableDependabotUpdates";
 import { enableIssueCreation } from "./enableIssueCreation";
@@ -49,9 +49,9 @@ export const worker = async (): Promise<unknown> => {
       const [owner, repo] = repoName.split("/");

       // If Code Scanning or Secret Scanning need to be enabled, let's go ahead and enable GHAS first
-      enableCodeScanning || enableSecretScanning
+      /*enableCodeScanning || enableSecretScanning
         ? await enableGHAS(owner, repo, client)
-        : null;
+        : null;*/

       // If they want to enable Dependabot, and they are NOT on GHES (as that currently isn't GA yet), enable Dependabot
       enableDependabot && process.env.GHES != "true"

Anyway thanks for the repo saved me time and it's all working with my hacks
@timja timja mentioned this issue May 26, 2022
Merged
@NickLiffen
Copy link
Owner

Thank you for this feedback 🙇

I am keen for your thoughts on how we could improve this:

repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos

The reason for this is we had people committing in large files of repos and we got feedback that this was 💩. So We changed it to stop that. Was the README.md not clear enough? I do want to make this experience better.

Are you a GHES (enterprise server) customer? Or a GHEC customer? The reason I ask is this:

Public repositories were filtered out with no option to enable it on

For GHEC (github.com) everything should automatically be enabled? 👀 so you shouldn't need to enable for any public repos? 🤔

What were you looking to do.

Thanks for the feedback @timja 🙇 I would love to make this better and if there was a bug happy to make changes to get it working.

@timja
Copy link
Contributor Author

timja commented May 26, 2022
edited
Loading

I am keen for your thoughts on how we could improve this:

There is soo much text in the README.

I skipped passed the instructions and went to this step where I could start copying commands:
https://github.com/NickLiffen/ghas-enablement#set-up-instructions

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos.

Are you a GHES (enterprise server) customer? Or a GHEC customer? The reason I ask is this:

Cloud

everything should automatically be enabled
What were you looking to do

Push protection and secret scanning is not enabled automatically for public repos.
There is a setting to enable it for new ones but no setting to do it retroactively.
Sales / account team pointed us at your repo, (which worked perfectly after my hacks)

Note: As shown in the error you do not need to explicitly enable advanced security, but you still do need to enable the features

@NickLiffen
Copy link
Owner

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos.

Will add this to the backlog 👍

Push protection and secret scanning is not enabled automatically for public repos.

hmmm 🤔 I know push protection is but secret scanning should be 🤔 anyway, thanks for the feedback 👍 you obviously ran into a bug, thanks for logging it 👍 I am working on another feature here, but after that will get around to fixing both these problems 🙇

@NickLiffen
Copy link
Owner

Hey @timja 👋

Just wanted to let you know I fixed this problem:

I would suggest creating the file if it doesn't exist, changing the code from doing a straight import of it to using file system APIs and handling it for the user. This step seems really unnecessary if you are running yarn run getRepos as I want you to load repos.
repo.json was super confusing that I had to copy your sample repos.json before I could load repos with yarn run getRepos

I am now going to take a look at this:

Public repositories were filtered out with no option to enable it on
Advanced security was force enabled when secretscanning or pushprotection was enabled but public repositories always have AS enabled this caused the script to error out.

Will try and have something done by EOW. I will leave this issue open until both are fixed 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NickLiffen @timja