Description
Problem Description
When managing environments with safe settings, if the repository is set to public, safe settings will create all environments defined within the suborg configuration. If the repository visibility is set to private or internal, safe settings presents an error even though the provisioning of environments has been tested for all repository visibilities via the REST API.
What is actually happening
If the repositories are anything but public visibility, safe settings cannot provision the environments.
What is the expected behavior
Safe Settings should be able to manage environments on repositories that are set to private or internal visibility.
Error output, if available
Error HttpError: Resource not accessible by integration in Environments for repo. {team details...}
Context
We had initially opened #611 regarding environment provisioning but assumed the issue was due to insufficient licensing for the non-prod environments but after deploying to production, the environment provisioning would still only work for public repositories.
Using the REST API, we can successfully create environments for repositories even if the repository is set internal or private visibility. We are wondering why Safe settings specifically returns an error for environments that are being provisioned against internal or private repositories.
Create environment for a public repository
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'
response
{
"id": 3523,
"node_id": "MDExOkVudmlyb25tZW50MzUyMw==",
"name": "dantestpublic",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestpublic]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestpublic,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestpublic,
"created_at": "2024-04-17T18:51:04Z",
"updated_at": "2024-04-17T18:51:04Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}
Create an environment for an internal repository
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'
response
{
"id": 3524,
"node_id": "MDExOkVudmlyb25tZW50MzUyNA==",
"name": "dantestinternal",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestinternal]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestinternal,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestinternal,
"created_at": "2024-04-17T18:57:34Z",
"updated_at": "2024-04-17T18:57:34Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}
Create an environment for a private repository
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token" \
-H "X-GitHub-Api-Version: 2022-11-28" \
[https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate \
-d '{"wait_timer": 0,"prevent_self_review": false,"reviewers": [],"deployment_branch_policy": null}'
response
{
"id": 3525,
"node_id": "MDExOkVudmlyb25tZW50MzUyNQ==",
"name": "dantestprivate",
"url": [https://%3cGHES_ENDPOINT%3e/api/v3/repos/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/environments/dantestprivate]https://<GHES_ENDPOINT>/api/v3/repos/<ORG>/<repoprefix>-iam-refactoring/environments/dantestprivate,
"html_url": [https://%3cGHES_ENDPOINT%3e/%3cORG%3e/%3crepoprefix%3e-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate]https://<GHES_ENDPOINT>/<ORG>/<repoprefix>-iam-refactoring/deployments/activity_log?environments_filter=dantestprivate,
"created_at": "2024-04-17T19:00:49Z",
"updated_at": "2024-04-17T19:00:49Z",
"can_admins_bypass": true,
"protection_rules": [
],
"deployment_branch_policy": null
}
Environments suborg configuration
environments:
- name: DEV
wait_timer: 0
prevent_self_review: false
reviewers: []
deployment_branch_policy:
- name: QAT
wait_timer: 0
prevent_self_review: false
reviewers: []
deployment_branch_policy:
- name: UAT
wait_timer: 0
prevent_self_review: false
reviewers: []
deployment_branch_policy:
- name: PROD
wait_timer: 0
prevent_self_review: true
reviewers:
- type: Team
id: 16193
deployment_branch_policy:
protected_branches: true
custom_branch_policies: false
Are you using the hosted instance of probot/settings or running your own?
Running safe settings on AKS with ingress for webhook.
If running your own instance, are you using it with github.com or GitHub Enterprise?
GitHub Enterprise Server
Version of probot/settings
Running Probot v12.3.3 (Node.js: v16.20.2)
Version of GitHub Enterprise
GitHub Enterprise Server 3.11