Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions guards/github-guard/rust-guard/src/labels/helpers.rs
Original file line number Diff line number Diff line change
Expand Up @@ -450,13 +450,13 @@ const MAX_REACTIONS_TO_CHECK: usize = 20;
/// Return the effective `disapproval_integrity` level from context, defaulting to "none".
fn effective_disapproval_integrity<'a>(ctx: &'a PolicyContext) -> &'a str {
let v = ctx.disapproval_integrity.trim();
if v.is_empty() { "none" } else { v }
if v.is_empty() { super::constants::policy_integrity::NONE } else { v }
}

/// Return the effective `endorser_min_integrity` level from context, defaulting to "approved".
fn effective_endorser_min_integrity<'a>(ctx: &'a PolicyContext) -> &'a str {
let v = ctx.endorser_min_integrity.trim();
if v.is_empty() { "approved" } else { v }
if v.is_empty() { super::constants::policy_integrity::APPROVED } else { v }
}

/// Convert an integrity level name to its rank for comparison.
Expand Down
67 changes: 67 additions & 0 deletions guards/github-guard/rust-guard/src/labels/tool_rules.rs
Original file line number Diff line number Diff line change
Expand Up @@ -968,4 +968,71 @@ mod tests {
"list_repository_collaborators must produce reader-level integrity"
);
}

#[test]
fn apply_tool_labels_secret_scanning_is_always_private() {
let ctx = default_ctx();
let args = serde_json::json!({"owner": "octocat", "repo": "hello-world"});
let repo_id = "octocat/hello-world";

for tool in &["list_secret_scanning_alerts", "get_secret_scanning_alert"] {
let (secrecy, integrity, _desc) = super::apply_tool_labels(
tool, &args, repo_id, vec![], vec![], String::new(), &ctx,
);
// Must be private even for a public repo — never empty secrecy
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"{tool}: expected private secrecy, got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"{tool}: expected writer integrity, got {integrity:?}",
);
}
}

#[test]
fn apply_tool_labels_code_scanning_and_dependabot_are_always_private() {
let ctx = default_ctx();
let args = serde_json::json!({"owner": "octocat", "repo": "hello-world"});
let repo_id = "octocat/hello-world";

for tool in &[
"list_code_scanning_alerts",
"get_code_scanning_alert",
"list_dependabot_alerts",
"get_dependabot_alert",
] {
let (secrecy, integrity, _desc) = super::apply_tool_labels(
tool, &args, repo_id, vec![], vec![], String::new(), &ctx,
);
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"{tool}: expected private secrecy, got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"{tool}: expected writer integrity, got {integrity:?}",
);
}
}

#[test]
fn apply_tool_labels_get_job_logs_is_always_private() {
let ctx = default_ctx();
let args = serde_json::json!({"owner": "octocat", "repo": "hello-world"});
let repo_id = "octocat/hello-world";

let (secrecy, integrity, _desc) = super::apply_tool_labels(
"get_job_logs", &args, repo_id, vec![], vec![], String::new(), &ctx,
);
assert!(
secrecy.iter().any(|s| s.starts_with("private:")),
"get_job_logs: expected private secrecy, got {secrecy:?}",
);
assert!(
integrity.iter().any(|s| s.starts_with("approved:")),
"get_job_logs: expected writer integrity, got {integrity:?}",
);
}
}
Loading