Allow ruleset settings to be overridden outside of safe settings.

jitran · jitran · commit d6946ccf949a · 2025-01-25T20:28:55.000+11:00
diff --git a/lib/plugins/branches.js b/lib/plugins/branches.js
@@ -129,18 +129,19 @@ module.exports = class Branches extends ErrorStash {
   getLastKey (obj, property) {
     const keys = property.split('.')
     for (let i = 0; i < keys.length - 1; i++) {
-      if (!obj[keys[i]]) return [obj, keys[i]]
+      if (!obj[keys[i]]) return [null, null]
       obj = obj[keys[i]]
     }
     return [obj, keys[keys.length - 1]]
   }
 
-  removeOverrides (source, target) {
+  removeOverrides (source, existing) {
     if (source) {
       overrides.forEach(override => {
         let [obj, lastKey] = this.getLastKey(source, override)
+        if (!obj) return
         if ((Array.isArray(obj[lastKey]) || typeof obj[lastKey] === 'string') && obj[lastKey].includes('{{EXTERNALLY_DEFINED}}')) {
-          let [obj2, lastKey2] = this.getLastKey(target, override)
+          let [obj2, lastKey2] = this.getLastKey(existing, override)
           if (obj2[lastKey2]) {
             obj[lastKey] = obj2[lastKey2]
           } else if (Array.isArray(obj[lastKey])) {
diff --git a/lib/plugins/rulesets.js b/lib/plugins/rulesets.js
@@ -2,6 +2,9 @@ const Diffable = require('./diffable')
 const NopCommand = require('../nopcommand')
 const MergeDeep = require('../mergeDeep')
 const ignorableFields = []
+const overrides = [
+  'required_status_checks',
+]
 
 const version = {
   'X-GitHub-Api-Version': '2022-11-28'
@@ -92,6 +95,51 @@ module.exports = class Rulesets extends Diffable {
     return merged.hasChanges
   }
 
+  getObjectRef (data, dataKey) {
+    const results = []
+    const traverse = (obj) => {
+      for (const key in obj) {
+        if (key === dataKey) {
+          results.push(obj)
+        } else if (Array.isArray(obj[key])) {
+          obj[key].forEach(element => traverse(element))
+        } else if (typeof obj[key] === 'object' && obj[key]) {
+          traverse(obj[key])
+        }
+      }
+    }
+    traverse(data)
+    return results
+  }
+
+  // When {{EXTERNALLY_DEFINED}} is found in the override value, retain the
+  // existing value from GitHub.
+  // Note:
+  //   - The admin settings could define multiple overrides, but the GitHub API
+  //     retains one only.
+  //   - The PUT method for rulesets (update) allows for multiple overrides.
+  //   - The POST method for rulesets (create) allows for one override only.
+  removeOverrides (source, existing) {
+    overrides.forEach(override => {
+      let sourceRefs = this.getObjectRef(source, override)
+      let data = JSON.stringify(sourceRefs, null, 2)
+      if (data.includes('{{EXTERNALLY_DEFINED}}')) {
+        let existingRefs = this.getObjectRef(existing, override)
+        sourceRefs.forEach(sourceRef => {
+          if (existingRefs[0]) {
+            sourceRef[override] = existingRefs[0][override]
+          } else if (Array.isArray(sourceRef[override])) {
+            sourceRef[override] = []
+          } else if (typeof sourceRef[override] === 'object' && sourceRef[override]) {
+            sourceRef[override] = {}
+          } else {
+            sourceRef[override] = ''
+          }
+        })
+      }
+    })
+  }
+
   update (existing, attrs) {
     const parms = this.wrapAttrs(Object.assign({ id: existing.id }, attrs))
     if (this.scope === 'org') {
@@ -100,6 +148,7 @@ module.exports = class Rulesets extends Diffable {
           new NopCommand(this.constructor.name, this.repo, this.github.request.endpoint('PUT /orgs/{org}/rulesets/{id}', parms), 'Update Ruleset')
         ])
       }
+      this.removeOverrides(parms, existing)
       this.log.debug(`Updating Ruleset with the following values ${JSON.stringify(parms, null, 2)}`)
       return this.github.request('PUT /orgs/{org}/rulesets/{id}', parms).then(res => {
         this.log(`Ruleset updated successfully ${JSON.stringify(res.url)}`)
@@ -113,6 +162,7 @@ module.exports = class Rulesets extends Diffable {
           new NopCommand(this.constructor.name, this.repo, this.github.request.endpoint('PUT /repos/{owner}/{repo}/rulesets/{id}', parms), 'Update Ruleset')
         ])
       }
+      this.removeOverrides(parms, existing)
       this.log.debug(`Updating Ruleset with the following values ${JSON.stringify(parms, null, 2)}`)
       return this.github.request('PUT /repos/{owner}/{repo}/rulesets/{id}', parms).then(res => {
         this.log(`Ruleset updated successfully ${JSON.stringify(res.url)}`)
@@ -130,6 +180,7 @@ module.exports = class Rulesets extends Diffable {
           new NopCommand(this.constructor.name, this.repo, this.github.request.endpoint('POST /orgs/{org}/rulesets', this.wrapAttrs(attrs)), 'Create Ruleset')
         ])
       }
+      this.removeOverrides(attrs, {})
       this.log.debug(`Creating Rulesets with the following values ${JSON.stringify(attrs, null, 2)}`)
       return this.github.request('POST /orgs/{org}/rulesets', this.wrapAttrs(attrs)).then(res => {
         this.log(`Ruleset created successfully ${JSON.stringify(res.url)}`)
@@ -143,6 +194,7 @@ module.exports = class Rulesets extends Diffable {
           new NopCommand(this.constructor.name, this.repo, this.github.request.endpoint('POST /repos/{owner}/{repo}/rulesets', this.wrapAttrs(attrs)), 'Create Ruleset')
         ])
       }
+      this.removeOverrides(attrs, {})
       this.log.debug(`Creating Rulesets with the following values ${JSON.stringify(attrs, null, 2)}`)
       return this.github.request('POST /repos/{owner}/{repo}/rulesets', this.wrapAttrs(attrs)).then(res => {
         this.log(`Ruleset created successfully ${JSON.stringify(res.url)}`)
