Support the release entity for the GitHub provider

[JAORMX]

Summary

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 55.003% (-0.4%) from 55.367%
when pulling d1078f4 on JAORMX:github-releases
into d843a45 on mindersec:main.

[evankanderson]

Does this create release entities, or just set us up for doing so in the future?

It looks (right now), like there's still more work before you can write a rule against these release objects -- are they created automatically (like PRs) after registering a repo?

I'm assuming (like PRs), that we will only start looking at releases that are modified after Minder is installed?

[evankanderson]

I'm assuming this will grow over time as we find the other useful properties.

[JAORMX]

that's right. This applies to all of our entity properties.

[evankanderson]

This seems like a weird case -- does it actually happen, or could we put in a complaint?

[JAORMX]

I'll be honest, I cargo-culted this. I'm not sure 😄

[evankanderson]

Let's make this an error and/or log at warning/error -- I think it's valid input to the GitHub API, but we shouldn't be getting output in this non-normalized form.

[JAORMX]

Does this create release entities, or just set us up for doing so in the future?

It creates the release entities.

It looks (right now), like there's still more work before you can write a rule against these release objects -- are they created automatically (like PRs) after registering a repo?

I'm assuming (like PRs), that we will only start looking at releases that are modified after Minder is installed?

Like PRs, these are created after registering a repo, as they get created. You could already start writing policies for these; the main issue we have right now is that we don't have an API to get general entities like these.

[evankanderson]

Let's make this an error and/or log at warning/error -- I think it's valid input to the GitHub API, but we shouldn't be getting output in this non-normalized form.

[evankanderson]

A few more comments.

It looks like GitHub uses the tag name as the unique identifier for releases, and you can have duplicate "name" (titles, really) for releases, but that my not be universal -- it feels like getReleaseNameFromParams will probably need to vary based on provider.

[evankanderson]

It looks like GitHub's name here is non-unique, but may still be worth exposing for e.g. filtering with CEL. (Apply / omit evalution only to releases with certain names)

[evankanderson]

It was suggested we should have a common-top-level property for these, and for the commit SHA.

[evankanderson]

One nit on https://github.com/mindersec/minder/pull/4921/files#r1871541959 that I'd like to see us track (because having two different name formats makes everything else harder).

[evankanderson]

If we merge this, we should make sure to follow up with a PR to restore the -0.4% code coverage drop from adding this new code.