When global codeql is enabled for every repository, atlantis apply will report that a PR must be approved if the PR is blocked and flag --gh-allow-mergeable-bypass-apply is used #5925
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
When using global code analysis in github with the flag --gh-allow-mergeable-bypass-apply, atlantis apply will report incorrectly that the PR is not approved on merge request that are in a blocked state.
I was able to track down where the problem occurs. This error message (invalid repository name)comes from func (g *GithubClient) LookupRepoId(repo githubv4.String) (githubv4.Int, error) file server/events/vcs/github_client.go.
The relevant code is this. Keep in mind that LookupRepoId will return an error if the repo parameter cannot be split.
repoSplit := strings.Split(string(repo), "/")
if len(repoSplit) != 2 {
return githubv4.Int(0), fmt.Errorf("invalid repository name: %s", repo)
}
I won't go into the weeds here but basically, when the flag --gh-allow-mergeable-bypass-apply is set and that the pull request is in a blocked state due to checks failing, atlantis will verify that every checks are passing except for the atlantis apply checks.
Atlantis makes a graphql query to retrieve the pull request information. See below. Among those information, we want to get the "checkrun" object that represents how a workflow was run, successful or not.
gh api graphql -f query='query { repository(owner:"OWNER",name:"REPO") {pullRequest(number:69) {baseRef{rules(first:100){nodes{type,repositoryRuleset{enforcement},parameters{... on WorkflowsParameters{workflows{path, repositoryId}}}}}}commits(last:1){nodes{commit{statusCheckRollup{contexts(first: 100){nodes{__typename, ... on CheckRun{conclusion, name, checkSuite{conclusion,workflowRun{runNumber,file{repositoryName, path}}}}}}}}}}}} }
From this query, we get a very big output but what we are interested in is these line:
"commits": {
"nodes": [
{
"commit": {
"statusCheckRollup": {
"contexts": {
"nodes": [
{
"__typename": "CheckRun",
"conclusion": "SUCCESS",
"name": "Analyze (actions)",
"checkSuite": {
"conclusion": "SUCCESS",
"workflowRun": {
"runNumber": 208,
"file": null
}
}
},
[...]
Notice how the Analyze (actions) check is structured. The workflowRun is not empty but the workflowRun.file is null. This checkrun is coming from a global actions activated from the organization setting, not from an individual workflow file.
In the code path, right before we call the LookupRepoId function, we do this:
if checkRun.CheckSuite.WorkflowRun == nil {
continue
}
In our case, the WorkflowRun is not nil but the WorkflowRun.File is nil. This result in atlantis erroring because we try to lookup a repo with an empty repo name.
Reproduction Steps
- Add global code analysis (from github settings) so that every repository will get automatically analysed with codeql.
- Ensure that the flag
--gh-allow-mergeable-bypass-applyis enabled. - Create a pull request.
- Make sure one of the check, not related to atlantis, is failing.
- Add an
altantis applycomment.