🌱 refactor: reorder branch protection tests progressively by tier

checks/evaluation/branch_protection_test.go

@@ -67,10 +67,10 @@ func TestBranchProtection(t *testing.T) {
 			},
 		},
 		{
-			name: "Required status check enabled",
+			name: "Allow force push enabled",
 			findings: []finding.Finding{
 				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeNegative),
 				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
 				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
@@ -80,20 +80,20 @@ func TestBranchProtection(t *testing.T) {
 				),
 				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
 				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
 				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        4,
-				NumberOfInfo: 5,
-				NumberOfWarn: 5,
+				Score:        1,
+				NumberOfWarn: 7,
+				NumberOfInfo: 3,
 			},
 		},
 		{
-			name: "Required status check enabled without checking for status string",
+			name: "Allow deletions enabled",
 			findings: []finding.Finding{
-				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeNegative),
 				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
@@ -104,14 +104,14 @@ func TestBranchProtection(t *testing.T) {
 				),
 				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
 				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
+				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        4,
-				NumberOfInfo: 4,
-				NumberOfWarn: 6,
+				Score:        1,
+				NumberOfWarn: 7,
+				NumberOfInfo: 3,
 			},
 		},
 		{
@@ -139,6 +139,56 @@ func TestBranchProtection(t *testing.T) {
 				NumberOfDebug: 1,
 			},
 		},
+		{
+			name: "Non-admin run on project that require zero reviewer (or don't require PRs at all, we can't differentiate it)",
+			findings: []finding.Finding{
+				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
+				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
+				withValue(
+					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNotAvailable),
+					requiresApproversForPullRequests.RequiredReviewersKey, "0",
+				),
+				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeNotAvailable),
+			},
+			result: scut.TestReturn{
+				Score:         3,
+				NumberOfWarn:  2,
+				NumberOfInfo:  2,
+				NumberOfDebug: 5,
+			},
+		},
+		{
+			name: "Non-admin run on project that require 1 reviewer",
+			findings: []finding.Finding{
+				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
+				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
+				withValue(
+					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
+					requiresApproversForPullRequests.RequiredReviewersKey, "1",
+				),
+				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
+				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
+				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
+			},
+			result: scut.TestReturn{
+				Score:         6,
+				NumberOfWarn:  3,
+				NumberOfInfo:  3,
+				NumberOfDebug: 4,
+			},
+		},
 		{
 			name: "Admin run with all tier 2 requirements except require PRs and reviewers",
 			findings: []finding.Finding{
@@ -213,81 +263,31 @@ func TestBranchProtection(t *testing.T) {
 			},
 		},
 		{
-			name: "Non-admin run on project that require zero reviewer (or don't require PRs at all, we can't differentiate it)",
-			findings: []finding.Finding{
-				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
-				withValue(
-					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNotAvailable),
-					requiresApproversForPullRequests.RequiredReviewersKey, "0",
-				),
-				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomeNotAvailable),
-			},
-			result: scut.TestReturn{
-				Score:         3,
-				NumberOfWarn:  2,
-				NumberOfInfo:  2,
-				NumberOfDebug: 5,
-			},
-		},
-		{
-			name: "Non-admin run on project that require 1 reviewer",
-			findings: []finding.Finding{
-				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNotAvailable),
-				withValue(
-					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomePositive),
-					requiresApproversForPullRequests.RequiredReviewersKey, "1",
-				),
-				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
-				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
-				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
-			},
-			result: scut.TestReturn{
-				Score:         6,
-				NumberOfWarn:  3,
-				NumberOfInfo:  3,
-				NumberOfDebug: 4,
-			},
-		},
-		{
-			name: "Required admin enforcement enabled",
+			name: "Required status check enabled",
 			findings: []finding.Finding{
 				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
+				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
 				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
 				withValue(
 					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
 					requiresApproversForPullRequests.RequiredReviewersKey, "0",
 				),
 				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
 				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        3,
-				NumberOfWarn: 5,
+				Score:        4,
 				NumberOfInfo: 5,
+				NumberOfWarn: 5,
 			},
 		},
 		{
-			name: "Required linear history enabled",
+			name: "Required status check enabled without checking for status string",
 			findings: []finding.Finding{
 				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
@@ -300,23 +300,23 @@ func TestBranchProtection(t *testing.T) {
 				),
 				branchFinding(requiresCodeOwnersReview.Probe, "main", finding.OutcomeNegative),
 				branchFinding(requiresLastPushApproval.Probe, "main", finding.OutcomeNegative),
-				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomeNegative),
-				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomePositive),
+				branchFinding(requiresUpToDateBranches.Probe, "main", finding.OutcomePositive),
+				branchFinding(runsStatusChecksBeforeMerging.Probe, "main", finding.OutcomeNotAvailable),
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        3,
-				NumberOfWarn: 6,
+				Score:        4,
 				NumberOfInfo: 4,
+				NumberOfWarn: 6,
 			},
 		},
 		{
-			name: "Allow force push enabled",
+			name: "Required admin enforcement enabled",
 			findings: []finding.Finding{
 				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
-				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomeNegative),
+				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
-				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
+				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomePositive),
 				branchFinding(dismissesStaleReviews.Probe, "main", finding.OutcomeNegative),
 				withValue(
 					branchFinding(requiresApproversForPullRequests.Probe, "main", finding.OutcomeNegative),
@@ -329,15 +329,15 @@ func TestBranchProtection(t *testing.T) {
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        1,
-				NumberOfWarn: 7,
-				NumberOfInfo: 3,
+				Score:        3,
+				NumberOfWarn: 5,
+				NumberOfInfo: 5,
 			},
 		},
 		{
-			name: "Allow deletions enabled",
+			name: "Required linear history enabled",
 			findings: []finding.Finding{
-				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomeNegative),
+				branchFinding(blocksDeleteOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(blocksForcePushOnBranches.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchesAreProtected.Probe, "main", finding.OutcomePositive),
 				branchFinding(branchProtectionAppliesToAdmins.Probe, "main", finding.OutcomeNegative),
@@ -353,9 +353,9 @@ func TestBranchProtection(t *testing.T) {
 				branchFinding(requiresPRsToChangeCode.Probe, "main", finding.OutcomePositive),
 			},
 			result: scut.TestReturn{
-				Score:        1,
-				NumberOfWarn: 7,
-				NumberOfInfo: 3,
+				Score:        3,
+				NumberOfWarn: 6,
+				NumberOfInfo: 4,
 			},
 		},
 		{