Skip to content

🐛 Fix branch-protection ruleset handling when there are no include patterns #4835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

🐛 Fix branch-protection ruleset handling when there are no include patterns #4835

wants to merge 1 commit into from
+38 −1

Conversation

@trask
Copy link
Contributor

@trask trask commented Oct 31, 2025

What kind of change does this PR introduce?

Bug fix – repository rulesets without any include patterns should apply to all branches which aren't explicitly excluded

What is the current behavior?

Scorecard ignores GitHub rulesets that rely on an empty include list (apply to all refs unless excluded), so branches covered only by those rulesets are reported as lacking protection. The branch-protection check emits false warnings such as “Warn: branch protection not enabled for branch 'xyz'”.

What is the new behavior (if this is a feature change)?

Rulesets with no explicit include patterns are now treated as applying to every ref except those explicitly excluded, matching GitHub’s semantics. Branches governed by such rulesets are marked protected and no longer generate false warnings.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

None

Special notes for your reviewer

None

Does this PR introduce a user-facing change?

Fix branch-protection scoring so GitHub rulesets without include patterns are honored, eliminating false warnings for branches covered by those rulesets.
@trask trask temporarily deployed to integration-test October 31, 2025 21:12 — with GitHub Actions Inactive
@codecov
Copy link

codecov bot commented Oct 31, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.48%. Comparing base (353ed60) to head (eb02cb0).
⚠️ Report is 266 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4835      +/-   ##
==========================================
+ Coverage   66.80%   69.48%   +2.68%     
==========================================
  Files         230      250      +20     
  Lines       16602    15593    -1009     
==========================================
- Hits        11091    10835     -256     
+ Misses       4808     3891     -917     
- Partials      703      867     +164
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
@spencerschrock
Copy link
Member

repository rulesets without any include patterns should apply to all branches which aren't explicitly excluded

Are you sure about that? This is what I see on a test repo when making a ruleset without a target:

This ruleset does not target any resources and will not be applied.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@trask @spencerschrock