Don't look at check run results in other repositories #807

iainlane · 2024-08-01T10:30:09Z

We are notified about check run completions via the check_run webhook event. This event contains a pull_requests field, which is a list of PRs that contain the SHA which just got checked:

      "pull_requests": [
        {
          "url": "https://api.github.com/repos/myorg/myrepo/pulls/1337",
          "id": 333333333,
          "number": 1337,
          "head": {
            "ref": "some-branch",
            "sha": "abcdef0123456789abcdef0123456789abcdef01",
            "repo": {
              "id": 11111111,
              "url": "https://api.github.com/repos/myorg/myrepo",
              "name": "myrepo"
            }
          },
          "base": {
            "ref": "main",
            "sha": "0101010101010101010101010101010101010101",
            "repo": {
              "id": 111111111,
              "url": "https://api.github.com/repos/myorg/myrepo",
              "name": "myrepo"
            }
          }
        }
      ],

However (mainly but not exclusively), in the case of public repositories, this list can contain PRs in other repositories:

    "pull_requests": [
      {
        "url": "https://api.github.com/repos/forkowner/myrepo/pulls/3",
        "id": 1234567890,
        "number": 3,
        "head": {
          "ref": "main",
          "sha": "6666666666666666666666666666666666666666",
          "repo": {
            "id": 111111111,
            "url": "https://api.github.com/repos/myorg/myrepo",
            "name": "myrepo"
          }
        },
        "base": {
          "ref": "main",
          "sha": "8888888888888888888888888888888888888888",
          "repo": {
            "id": 555555555,
            "url": "https://api.github.com/repos/forkowner/myrepo",
            "name": "myrepo"
          }
        }
      }
    ]

...this is because people can fork the repository and then create PRs from our repo into theirs. These PRs will contain SHAs from our repository and this causes them to appear in the pull_requests list of the check run, since they will share the same check run status in any repo: the check run is attached to the commit itself.

These PRs should be ignored for our purposes. We aren't evaluating a policy on the remote repo. When a check_run completes, we are only interested in PRs for our own repo.

iainlane · 2024-08-01T10:32:10Z

I was reviewing our logs when working on #794 earlier and noticed a lot of instances of this message

failed to create evaluation context: failed to load pull request details: Could not resolve to a PullRequest with the number of <implausibly low number>

this turned out to be the reason!

We are notified about check run completions via the `check_run` webhook event. This event contains a `pull_requests` field, which is a list of PRs that contain the SHA which just got checked: ```json "pull_requests": [ { "url": "https://api.github.com/repos/myorg/myrepo/pulls/1337", "id": 0000000000, "number": 1337, "head": { "ref": "some-branch", "sha": "abcdef0123456789abcdef0123456789abcdef01", "repo": { "id": 11111111, "url": "https://api.github.com/repos/myorg/myrepo", "name": "myrepo" } }, "base": { "ref": "main", "sha": "0101010101010101010101010101010101010101", "repo": { "id": 111111111, "url": "https://api.github.com/repos/myorg/myrepo", "name": "myrepo" } } } ], ``` However (mainly but not exclusively), in the case of public repositories, this list can contain PRs in other repositories: ```json "pull_requests": [ { "url": "https://api.github.com/repos/forkowner/myrepo/pulls/3", "id": 1234567890, "number": 3, "head": { "ref": "main", "sha": "6666666666666666666666666666666666666666", "repo": { "id": 111111111, "url": "https://api.github.com/repos/myorg/myrepo", "name": "myrepo" } }, "base": { "ref": "main", "sha": "8888888888888888888888888888888888888888", "repo": { "id": 555555555, "url": "https://api.github.com/repos/forkowner/myrepo", "name": "myrepo" } } } ] ``` ...this is because people can fork the repository and then create PRs _from_ our repo _into_ theirs. These PRs will contain SHAs from our repository and this causes them to appear in the `pull_requests` list of the check run, since they will share the same check run status in any repo: the check run is attached to the commit itself. These PRs should be ignored for our purposes. We aren't evaluating a policy on the remote repo. When a `check_run` completes, we are only interested in PRs for our own repo.

bluekeyes

Good catch, I don't think we've seen this before

iainlane force-pushed the iainlane/check-run-ignore-other-prs branch from eb9f859 to ff55775 Compare August 1, 2024 10:33

iainlane marked this pull request as ready for review August 1, 2024 10:33

bluekeyes approved these changes Aug 2, 2024

View reviewed changes

bluekeyes merged commit 536d202 into palantir:develop Aug 2, 2024
8 checks passed

bluekeyes mentioned this pull request Aug 2, 2024

Add support for allowing skipped checks in has_successful_status #789

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't look at check run results in other repositories #807

Don't look at check run results in other repositories #807

iainlane commented Aug 1, 2024 •

edited

Loading

iainlane commented Aug 1, 2024

bluekeyes left a comment

Don't look at check run results in other repositories #807

Don't look at check run results in other repositories #807

Conversation

iainlane commented Aug 1, 2024 • edited Loading

iainlane commented Aug 1, 2024

bluekeyes left a comment

Choose a reason for hiding this comment

iainlane commented Aug 1, 2024 •

edited

Loading