From 4dc5a611466b96f7c38ea2223f882892fc0d9ce3 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 10 Oct 2024 17:11:25 +0100 Subject: [PATCH 1/4] Remove branch name requirement in rules The branch protection rules have a sensible default of the remote HEAD branch. As a result, they no longer _require_ the branch name. Right now, callers must specify the branch name as an empty string (since it's required), but we should instead just remove the requirement entirely. --- rule-types/github/branch_protection_allow_deletions.yaml | 4 +--- rule-types/github/branch_protection_allow_force_pushes.yaml | 4 +--- rule-types/github/branch_protection_allow_fork_syncing.yaml | 4 +--- rule-types/github/branch_protection_enabled.yaml | 4 +--- rule-types/github/branch_protection_enforce_admins.yaml | 4 +--- rule-types/github/branch_protection_lock_branch.yaml | 4 +--- .../branch_protection_require_conversation_resolution.yaml | 4 +--- .../github/branch_protection_require_linear_history.yaml | 4 +--- ...rotection_require_pull_request_approving_review_count.yaml | 4 +--- ...ch_protection_require_pull_request_code_owners_review.yaml | 4 +--- ...protection_require_pull_request_dismiss_stale_reviews.yaml | 4 +--- ...ch_protection_require_pull_request_last_push_approval.yaml | 4 +--- .../github/branch_protection_require_pull_requests.yaml | 4 +--- rule-types/github/branch_protection_require_signatures.yaml | 4 +--- 14 files changed, 14 insertions(+), 42 deletions(-) diff --git a/rule-types/github/branch_protection_allow_deletions.yaml b/rule-types/github/branch_protection_allow_deletions.yaml index 032d18a..b301122 100644 --- a/rule-types/github/branch_protection_allow_deletions.yaml +++ b/rule-types/github/branch_protection_allow_deletions.yaml @@ -28,9 +28,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: type: object diff --git a/rule-types/github/branch_protection_allow_force_pushes.yaml b/rule-types/github/branch_protection_allow_force_pushes.yaml index 19e56df..f66df1e 100644 --- a/rule-types/github/branch_protection_allow_force_pushes.yaml +++ b/rule-types/github/branch_protection_allow_force_pushes.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: type: object diff --git a/rule-types/github/branch_protection_allow_fork_syncing.yaml b/rule-types/github/branch_protection_allow_fork_syncing.yaml index 706ebed..65f5acd 100644 --- a/rule-types/github/branch_protection_allow_fork_syncing.yaml +++ b/rule-types/github/branch_protection_allow_fork_syncing.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_enabled.yaml b/rule-types/github/branch_protection_enabled.yaml index 81359b3..47845f2 100644 --- a/rule-types/github/branch_protection_enabled.yaml +++ b/rule-types/github/branch_protection_enabled.yaml @@ -30,9 +30,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." rule_schema: {} # Defines the configuration for ingesting data relevant for the rule ingest: diff --git a/rule-types/github/branch_protection_enforce_admins.yaml b/rule-types/github/branch_protection_enforce_admins.yaml index ee75aaf..ecca0b1 100644 --- a/rule-types/github/branch_protection_enforce_admins.yaml +++ b/rule-types/github/branch_protection_enforce_admins.yaml @@ -26,9 +26,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_lock_branch.yaml b/rule-types/github/branch_protection_lock_branch.yaml index 9d106b0..48b4ac0 100644 --- a/rule-types/github/branch_protection_lock_branch.yaml +++ b/rule-types/github/branch_protection_lock_branch.yaml @@ -28,9 +28,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_conversation_resolution.yaml b/rule-types/github/branch_protection_require_conversation_resolution.yaml index a358bf8..0bcd972 100644 --- a/rule-types/github/branch_protection_require_conversation_resolution.yaml +++ b/rule-types/github/branch_protection_require_conversation_resolution.yaml @@ -30,9 +30,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_linear_history.yaml b/rule-types/github/branch_protection_require_linear_history.yaml index 44c164f..b65f4a3 100644 --- a/rule-types/github/branch_protection_require_linear_history.yaml +++ b/rule-types/github/branch_protection_require_linear_history.yaml @@ -28,9 +28,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml b/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml index 4a8a11a..e0d012b 100644 --- a/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml +++ b/rule-types/github/branch_protection_require_pull_request_approving_review_count.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml b/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml index a14db65..7e4f1b2 100644 --- a/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml +++ b/rule-types/github/branch_protection_require_pull_request_code_owners_review.yaml @@ -30,9 +30,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml b/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml index f7f0ccb..436165e 100644 --- a/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml +++ b/rule-types/github/branch_protection_require_pull_request_dismiss_stale_reviews.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml b/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml index 8cff1ff..90dc30b 100644 --- a/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml +++ b/rule-types/github/branch_protection_require_pull_request_last_push_approval.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_pull_requests.yaml b/rule-types/github/branch_protection_require_pull_requests.yaml index b53efc1..df0d46f 100644 --- a/rule-types/github/branch_protection_require_pull_requests.yaml +++ b/rule-types/github/branch_protection_require_pull_requests.yaml @@ -29,9 +29,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: properties: diff --git a/rule-types/github/branch_protection_require_signatures.yaml b/rule-types/github/branch_protection_require_signatures.yaml index 3b7134d..b5b0e38 100644 --- a/rule-types/github/branch_protection_require_signatures.yaml +++ b/rule-types/github/branch_protection_require_signatures.yaml @@ -28,9 +28,7 @@ def: properties: branch: type: string - description: "The name of the branch to check. If left empty, the default branch will be used." - required: - - branch + description: "The name of the branch to check. If not specified, the repository's default branch will be used." # Defines the schema for writing a rule with this rule being checked rule_schema: type: object From 6f9e94dda76bef247c4f6ac7970cd9aae153f879 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 10 Oct 2024 17:17:28 +0100 Subject: [PATCH 2/4] Remove filename requirement in rules The security insights rules have a sensible default of `SECURITY-INSIGHTS.yml`, thus, we should not require the filename. --- rule-types/github/security_insights.yaml | 2 -- rule-types/github/security_insights_dep_policy.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/rule-types/github/security_insights.yaml b/rule-types/github/security_insights.yaml index 9e5cc7c..d9c97a2 100644 --- a/rule-types/github/security_insights.yaml +++ b/rule-types/github/security_insights.yaml @@ -40,8 +40,6 @@ def: description: | The path to the Security Insights file default: SECURITY-INSIGHTS.yml - required: - - filename # Defines the configuration for ingesting data relevant for the rule ingest: type: git diff --git a/rule-types/github/security_insights_dep_policy.yaml b/rule-types/github/security_insights_dep_policy.yaml index 8e193bf..dddd257 100644 --- a/rule-types/github/security_insights_dep_policy.yaml +++ b/rule-types/github/security_insights_dep_policy.yaml @@ -44,8 +44,6 @@ def: description: | The path to the Security Insights file default: SECURITY-INSIGHTS.yml - required: - - filename # Defines the configuration for ingesting data relevant for the rule ingest: type: git From b1509e3dcf22239bb2727b7d3c338293ebaaf5c0 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 10 Oct 2024 17:19:12 +0100 Subject: [PATCH 3/4] Remove schedule_interval from dependabot rule The dependabot rule does not use the schedule_interval option; it should not be required any longer. --- rule-types/github/dependabot_configured.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/rule-types/github/dependabot_configured.yaml b/rule-types/github/dependabot_configured.yaml index cadd8ee..71ce5ab 100644 --- a/rule-types/github/dependabot_configured.yaml +++ b/rule-types/github/dependabot_configured.yaml @@ -35,11 +35,6 @@ def: description: | The package ecosystem that the rule applies to. For example pip, gomod, npm, docker, github-actions, etc. - schedule_interval: - type: string - description: | - This option is no longer used. It's, however marked as required, so we can't remove - it for backwards compatibility. apply_if_file: type: string description: | @@ -47,7 +42,6 @@ def: This is useful for rules that are only applicable to certain types of repositories. required: - package_ecosystem - - schedule_interval # Defines the configuration for ingesting data relevant for the rule ingest: type: git From e9f83b6ae3c875e22e48eaa2bd4a2e9452d424a6 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 10 Oct 2024 17:19:48 +0100 Subject: [PATCH 4/4] Remove filename requirement in security rules The security policy rule has a sensible default of `SECURITY.md`, thus, we should not require the filename. --- rule-types/github/security_policy.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rule-types/github/security_policy.yaml b/rule-types/github/security_policy.yaml index 842dee5..e0323ba 100644 --- a/rule-types/github/security_policy.yaml +++ b/rule-types/github/security_policy.yaml @@ -24,8 +24,6 @@ def: description: | Path to the security policy file default: SECURITY.md - required: - - filename # Defines the configuration for ingesting data relevant for the rule ingest: type: git