Add validation for allowed-merge-teams

It seems that teams mentioned in this array have to also have explicit access to the repository, otherwise configuration of the allowed merge teams will not work in `sync-team`.
rust-lang · Mar 7, 2025 · da7046f · da7046f
1 parent efc01a8
commit da7046f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/docs/toml-schema.md b/docs/toml-schema.md
@@ -350,6 +350,8 @@ required-approvals = 1
 # Which GitHub teams have access to push/merge to this branch.
 # If unspecified, all teams/contributors with write or higher access
 # can push/merge to the branch.
+# Teams mentioned in this array must also have access to the repo
+# in [access.teams].
 # (optional)
 allowed-merge-teams = ["awesome-team"]
 # Determines the merge queue bot(s) that manage pushes to this branch.

diff --git a/src/validate.rs b/src/validate.rs
@@ -840,6 +840,15 @@ but that team does not seem to exist"#,
                         team
                     );
                 }
+                if !repo.access.teams.contains_key(team) {
+                    bail!(
+                        r#"repo '{}' uses a branch protection for {} that has an allowed merge team '{}',
+but that team is not mentioned in [access.teams]"#,
+                        repo.name,
+                        protection.pattern,
+                        team
+                    );
+                }
             }
 
             if !protection.pr_required {