Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check Gitlab via API if CODEOWNERS are all existing users/groups that can approve #191

Open
nielsbasjes opened this issue Feb 4, 2025 · 4 comments
Open

Check Gitlab via API if CODEOWNERS are all existing users/groups that can approve #191

nielsbasjes opened this issue Feb 4, 2025 · 4 comments
Assignees
@nielsbasjes

Comments

@nielsbasjes
Copy link
Owner

Idea: Verify if all users have a high enough access level to actually approve (list good/bad and then either warn or fail)

As part of the enforcer component:

https://docs.gitlab.com/ee/api/access_requests.html#valid-access-levels

Valid access levels
The access levels are defined in the Gitlab::Access module, and the following levels are recognized:

No access (0)
Minimal access (5)
Guest (10)
Planner (15)
Reporter (20)
Developer (30)
Maintainer (40)
Owner (50).

https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html#eligible-approvers

Users with the Developer role can approve merge requests if one of the following is true:

  Users added as approvers at the project or merge request level.
  Users who are [Code owners](https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html#code-owners-as-eligible-approvers) of the files changed in the merge request.
  
Users with the Reporter role can approve only if both of the following are true:

  The users are part of a group that has been [shared](https://docs.gitlab.com/ee/user/project/members/sharing_projects_groups.html) with the project. The group must have at least the Reporter role.
  The group has been added as merge request approvers.
@nielsbasjes nielsbasjes self-assigned this Feb 4, 2025
@nielsbasjes
Copy link
Owner Author

nielsbasjes commented Feb 4, 2025
edited
Loading

And the same for Github.

https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repository-teams

https://docs.github.com/en/rest/collaborators/collaborators?apiVersion=2022-11-28#list-repository-collaborators

https://stackoverflow.com/questions/71271079/how-can-i-use-github-api-to-get-a-list-of-users-added-to-a-repository

@nielsbasjes
Copy link
Owner Author

https://docs.gitlab.com/ee/user/project/codeowners/advanced.html#zero-owners

If an entry includes no owners, or zero accessible owners exist, the entry is invalid. Because this rule can never be satisfied, GitLab auto-approves it in merge requests.

@nielsbasjes
Copy link
Owner Author

https://docs.gitlab.com/ee/user/project/codeowners/reference.html#add-a-group-as-a-code-owner

You can set direct members of a group or subgroup as a Code Owner.

I checked: Any inherited member (like in a parent group) is indeed NOT added as a code owner.

@nielsbasjes nielsbasjes changed the title Idea: Check Gitlab via API if CODEOWNERS are all existing users/groups that can approve Check Gitlab via API if CODEOWNERS are all existing users/groups that can approve Feb 11, 2025
@nielsbasjes
Copy link
Owner Author

https://docs.gitlab.com/ee/user/project/codeowners/reference.html#add-a-role-as-a-code-owner

- Only Developer, Maintainer, and Owner roles are available.
- Roles are not inclusive of higher roles. For example, specifying @@developer does not include users with Maintainer or Owner roles.
- Only direct project members with the specified roles are eligible Code Owners.
- It is possible to specify plural roles. For example, @@developers is accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nielsbasjes nielsbasjes

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nielsbasjes