fix(audit): graceful degradation when ruleset endpoint not readable#15
fix(audit): graceful degradation when ruleset endpoint not readable#15WomB0ComB0 merged 1 commit intomainfrom
Conversation
GITHUB_TOKEN lacks admin:org scope so /orgs/$ORG/rulesets/$RULESET_ID returns 403, triggering set -e and the whole scan step failing before any repo gets examined. Wrapped the ruleset fetch in a conditional: on failure, log a warning and treat the exclude list as empty. The audit then scans every repo; false-positive exempt status only happens if a repo IS in the exclude list and the token can't read it, which the warning calls out. For authoritative results, set SYNC_TOKEN (or any PAT with admin:org read scope) as a secret on this repo. The workflow already prefers it over GITHUB_TOKEN via: secrets.SYNC_TOKEN || secrets.GITHUB_TOKEN.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughModified GitHub Actions workflow to add error handling when fetching ruleset repository exclusions. Wraps the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Discovered on first live audit run:
/orgs/$ORG/rulesets/$RULESET_IDrequiresadmin:orgscope whichGITHUB_TOKENdoesn't have. The script hitset -eon the 403 and every run failed immediately. Wrap the fetch in a conditional that logs a warning and assumes empty exclude list on failure, so the gap detection still runs against every repo. For authoritative results (reads the actual exclude list), setSYNC_TOKENat org or repo level.Summary by CodeRabbit