Automerge fails on github free accounts in 0.23.3 due to branch protection api error

[jescholl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

After upgrading from 0.23.2 to 0.23.3, Atlantis is no longer able to automerge PRs. It will perform the apply and even post a comment saying Automatically merging because all plans have been successfully applied., but the PR doesn't get merged.

Reproduction Steps

1. Run atlantis on a private repo on a free github account
2. Submit a pull request
3. atlantis apply

Logs

Logs

{"level":"info","ts":"2023-03-26T22:04:23.058Z","caller":"events/automerger.go:32","msg":"automerging pull request","json":{"repo":"jescholl/<REDACTED_PRIVATE_REPO>","pull":"162"}}
{"level":"error","ts":"2023-03-26T22:04:23.350Z","caller":"vcs/instrumented_client.go:231","msg":"Unable to merge pull, error: getting branch protection rules: GET https://api.github.com/repos/jescholl/<REDACTED_PRIVATE_REPO>/branches/master/protection: 403 Upgrade to GitHub Pro or make this repository public to enable this feature. []","json":{"pull-num":162},"stacktrace":"...trace below..."}

trace

stacktrace:github.com/runatlantis/atlantis/server/events/vcs.(*InstrumentedClient).MergePull
	github.com/runatlantis/atlantis/server/events/vcs/instrumented_client.go:231
github.com/runatlantis/atlantis/server/events/vcs.(*ClientProxy).MergePull
	github.com/runatlantis/atlantis/server/events/vcs/proxy.go:84
github.com/runatlantis/atlantis/server/events.(*AutoMerger).automerge
	github.com/runatlantis/atlantis/server/events/automerger.go:35
github.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run
	github.com/runatlantis/atlantis/server/events/apply_command_runner.go:183
github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand
	github.com/runatlantis/atlantis/server/events/command_runner.go:296

Environment details

• Atlantis version: 0.23.3

Atlantis server-side config file:

# config file
repos:
- id: "/.*/"
  apply_requirements: []
  plan_requirements: []

Repo atlantis.yaml file:

# config file

Additional Context

I thought I may have been able to work around this issue by eliminating the apply_requirements (see above config), but I still get the same behavior and same errors in the logs.

[nitrocode]

The error seems to be

Unable to merge pull, error: getting branch protection rules: GET https://api.github.com/repos/jescholl/<REDACTED_PRIVATE_REPO>/branches/master/protection: 403 Upgrade to GitHub Pro or make this repository public to enable this feature. []

Not sure if this is atlantis related.

If you downgrade back to 0.23.2, does it work as expected?

[Heldroe]

This also fails on enterprise accounts, this time with a 404 error, I think because an unexpected payload, if "json":{"pull-num":5264} means what I think it means in the error

[adriantr]

I started to get following error since 0.23.3, we're on gh enterprise:

{"level":"error","ts":"2023-03-27T07:29:33.761Z","caller":"vcs/instrumented_client.go:231","msg":"Unable to merge pull, error: getting branch protection rules: GET https://api.github.com/repos/<REPO>/branches/master/protection: 403 Resource not accessible by integration []","json":{"pull-num":327},"stacktrace":"github.com/runatlantis/atlantis/server/events/vcs.(*InstrumentedClient).MergePull\n\tgithub.com/runatlantis/atlantis/server/events/vcs/instrumented_client.go:231\ngithub.com/runatlantis/atlantis/server/events/vcs.(*ClientProxy).MergePull\n\tgithub.com/runatlantis/atlantis/server/events/vcs/proxy.go:84\ngithub.com/runatlantis/atlantis/server/events.(*AutoMerger).automerge\n\tgithub.com/runatlantis/atlantis/server/events/automerger.go:35\ngithub.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:183\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:296"}

[cep21]

Hi,

We are on an enterprise account (not self hosted however) and are also seeing this error as a 404 with the latest upgrade.

"Unable to merge pull, error: getting branch protection rules ... GET [https:// ...](https://api.github.com/repos/X/Y/branches/master/protection) 404 Not Found"

[jescholl]

The error seems to be

Unable to merge pull, error: getting branch protection rules: GET https://api.github.com/repos/jescholl/<REDACTED_PRIVATE_REPO>/branches/master/protection: 403 Upgrade to GitHub Pro or make this repository public to enable this feature. []

Not sure if this is atlantis related.

If you downgrade back to 0.23.2, does it work as expected?

Yes, downgrading to 0.23.2 resolves the problem.

[nitrocode]

This looks like it came from this PR #3211 cc: @tpolekhin

See differences between versions v0.23.2...v0.23.3

To confirm if the above PR is the culprit, try this version before that PR merge and see if it works

https://github.com/orgs/runatlantis/packages/container/atlantis/78397613?tag=dev-alpine-47f0258
https://github.com/orgs/runatlantis/packages/container/atlantis/78397613?tag=dev-debian-47f0258

Then confirm the version after the PR merge and see if it fails

https://github.com/orgs/runatlantis/packages/container/atlantis/78416368?tag=dev-alpine-7a33828
https://github.com/orgs/runatlantis/packages/container/atlantis/78416368?tag=dev-debian-7a33828

[tpolekhin]

@jescholl That is an edge case that I did not think of
403 Upgrade to GitHub Pro or make this repository public to enable this feature.

@adriantr Unfortunately I don't have access to enterprise GitHub to check this, can you please provide a little bit more details on this? Why doesn't it has access to master branch? Is this something you intentionally configured?
403 Resource not accessible by integration []

@cep21 This is a weird one. Does your master have branch protection rules?

[nitrocode]

Here are the references where we get branch protections

This one existed before the pr and did not cause issues

atlantis/server/events/vcs/github_client.go

Lines 409 to 412 in c019d8b

	required, _, err := g.client.Repositories.GetBranchProtection(context.Background(), repo.Owner, repo.Name, *pull.Base.Ref)
	if err != nil {
	return false, errors.Wrap(err, "getting required status checks")
	}

This was added in the pr and does cause issues

atlantis/server/events/vcs/github_client.go

Lines 582 to 587 in c019d8b

	protection, _, err := g.client.Repositories.GetBranchProtection(context.Background(), repo.Owner.GetLogin(), *repo.Name, pull.BaseBranch)
	if err != nil {
	if !errors.Is(err, github.ErrBranchNotProtected) {
	return errors.Wrap(err, "getting branch protection rules")
	}
	}

Do i have that right?

[jescholl]

@nitrocode, I tested as you suggested and it looks like you were right, dev-debian-47f0258 works as expected but dev-debian-7a33828 fails to merge after applying.

[tpolekhin]

@nitrocode you are correct. I don't see a flaw in the logic of the #3211 PR. Maybe those issues surfaced because now GetBranchProtection is called independent of the Atlantis server configuration and there are some issues with it that didn't occur before?
Before #3211 was merged GetBranchProtection was only called if one had --gh-allow-mergeable-bypass-apply enabled.

@jescholl @cep21 @Heldroe @adriantr did you had this flag enabled and everything was working fine before?

@adriantr According to GitHub docs branch protection API endpoint should be read accessible if you configured Administration read-only permissions for the integration.

[jescholl]

I did not have that flag enabled

[tpolekhin]

@jescholl your case is pretty straightforward to me, we need to catch this error as we do for github.ErrBranchNotProtected and continue as usual. I will work on the fix for that.

[dwilliams782]

Hi all,

We just upgraded to 0.23.3 and also ran into the 404 for mergeability:

{“level”:“warn”,“ts”:“2023-03-29T12:07:17.664Z”,“caller”:“events/apply_command_runner.go:111",“msg”:“unable to get pull request status: fetching mergeability status for repo: <repo>, and pull number: 2640: getting pull request status: getting required status checks: GET https://api.github.com/repos/<repo>/branches/master/protection: 404 Not Found []. Continuing with mergeable and approved assumed false”,“json”:{“repo”:“<repo>“,”pull”:“2640”},“stacktrace”:“[github.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run](http://github.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run)\n\[tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:111](http://tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:111)\[ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand](http://ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand)\n\[tgithub.com/runatlantis/atlantis/server/events/command_runner.go:296](http://tgithub.com/runatlantis/atlantis/server/events/command_runner.go:296)”}

In our case, we have a dedicated github user (enterprise org) for atlantis, and this user had to be granted the admin role on each repository it uses. Only the admin role contains the correct permission to retrieve branch protection rules.

This was first mentioned here.

[nitrocode]

Perhaps if the api returns 404 Not Found, it can still throw that message and an info log statement to poke the user to check if the atlantis user/app has the expected admin perms?

[nitrocode]

The fix is merged and will be in the next release. For early adopters, please use the dev tag with an imagePullPolicy: Always

[llamahunter]

when is 0.23.4 coming out? this is breaking automerge for us in 0.23.3

[nitrocode]

https://github.com/runatlantis/atlantis/releases/tag/v0.23.4

[nitrocode]

Can this be closed? Is anyone still experiencing this in 0.23.4 or later?