We only check whether we can parse policies today:
|
switch repo { |
|
case ".github": |
|
if err := yaml.UnmarshalStrict([]byte(raw), &octosts.OrgTrustPolicy{}); err != nil { |
|
log.Infof("failed to parse org trust policy: %v", err) |
|
merr = multierror.Append(merr, fmt.Errorf("%s: %w", f, err)) |
|
} |
|
|
|
default: |
|
if err := yaml.UnmarshalStrict([]byte(raw), &octosts.TrustPolicy{}); err != nil { |
|
log.Infof("failed to parse trust policy: %v", err) |
|
merr = multierror.Append(merr, fmt.Errorf("%s: %w", f, err)) |
|
} |
... but we don't check properties that aren't structural, such as that the values of permissions are well formed.
I sent a PR with writ (no e) and this didn't reject it.