Merge pull request #1742 from Kobzol/branch-protections-app

Sync GitHub App branch protection push allowances

Author: marcoieni

sync-team/src/github/api/mod.rs

@@ -439,6 +439,7 @@ where
 pub(crate) enum PushAllowanceActor {
     User(UserPushAllowanceActor),
     Team(TeamPushAllowanceActor),
+    App(AppPushAllowanceActor),
 }
 
 /// User who can be allowed to push to a branch in a repo
@@ -454,6 +455,14 @@ pub(crate) struct TeamPushAllowanceActor {
     pub(crate) name: String,
 }
 
+/// GitHub app that can be allowed to push to a branch in a repo
+#[derive(Clone, Deserialize, Debug, PartialEq, Eq)]
+pub(crate) struct AppPushAllowanceActor {
+    pub(crate) name: String,
+    /// Node ID, which can be used as a push actor ID
+    pub(crate) id: String,
+}
+
 pub(crate) enum BranchProtectionOp {
     CreateForRepo(String),
     UpdateBranchProtection(String),

sync-team/src/github/api/read.rs

@@ -361,6 +361,10 @@ impl GithubRead for GitHubApiRead {
                                             },
                                             name
                                         }
+                                        ... on App {
+                                            id,
+                                            name
+                                        }
                                     }
                                 }
                             }

sync-team/src/github/api/write.rs

@@ -3,9 +3,9 @@ use reqwest::Method;
 
 use crate::github::api::url::GitHubUrl;
 use crate::github::api::{
-    BranchProtection, BranchProtectionOp, HttpClient, Login, PushAllowanceActor, Repo,
-    RepoPermission, RepoSettings, Team, TeamPrivacy, TeamPushAllowanceActor, TeamRole,
-    UserPushAllowanceActor, allow_not_found,
+    AppPushAllowanceActor, BranchProtection, BranchProtectionOp, HttpClient, Login,
+    PushAllowanceActor, Repo, RepoPermission, RepoSettings, Team, TeamPrivacy,
+    TeamPushAllowanceActor, TeamRole, UserPushAllowanceActor, allow_not_found,
 };
 use crate::utils::ResponseExt;
 
@@ -427,6 +427,9 @@ impl GitHubWrite {
                     organization: Login { login: org },
                     name,
                 }) => push_actor_ids.push(self.team_id(org, name)?),
+                PushAllowanceActor::App(AppPushAllowanceActor { id, .. }) => {
+                    push_actor_ids.push(id.clone())
+                }
             }
         }
 

sync-team/src/github/mod.rs

@@ -321,8 +321,24 @@ impl SyncGitHub {
             .branch_protections(&actual_repo.org, &actual_repo.name)?;
         for branch_protection in &expected_repo.branch_protections {
             let actual_branch_protection = actual_protections.remove(&branch_protection.pattern);
-            let expected_branch_protection =
+            let mut expected_branch_protection =
                 construct_branch_protection(expected_repo, branch_protection);
+
+            // We don't model GitHub App push allowance actors in team.
+            // However, we don't want to remove existing accesses of GH apps to
+            // branches.
+            // So if there is an existing branch protection, we copy its GitHub app
+            // push allowances into the expected branch protection, to roundtrip the app access.
+            if let Some((_, actual_branch_protection)) = &actual_branch_protection {
+                expected_branch_protection.push_allowances.extend(
+                    actual_branch_protection
+                        .push_allowances
+                        .iter()
+                        .filter(|allowance| matches!(allowance, PushAllowanceActor::App(_)))
+                        .cloned(),
+                );
+            }
+
             let operation = {
                 match actual_branch_protection {
                     Some((database_id, bp)) if bp != expected_branch_protection => {