-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Have a mechanism to manually run automerge checks for PRs opened by non-authorised users/bots #116716
Comments
Safety isn't that hard for Automerge to assess itself. It could e.g. require that some key information is given in the PR body, then call RegistryTools itself to see if it gets the same file changes as in the PR. Another question is whether the PR author should be allowed to make registrations for the package. That could e.g. be solved by having a file in the package repo listing approved users. |
AutoMerge has two "components": the PR job that runs on the PR and decides whether the PR "passes AutoMerge" or "fails AutoMerge" (but doesn't actually merge anything), and the cron job that goes through the list of PRs and does the merges. The way that the two components communicate with each other is via the Now, if I recall correctly, when the AutoMerge PR job creates the So, I think the existing decision of AutoMerge already takes care of this aspect of the OP. |
The registry maintainer needs to manually assess safety themselves prior to triggering AutoMerge. Otherwise, someone can just open a PR modify the manifest files in |
Good points. Somehow it seems like you would like to run the CI checks from a different repository, to separate the testing infrastructure from the registry content. I have no idea what token nightmares that would lead to or whether it's technically possible at all. |
Currently Automerge checks are run only for PRs opened by a limited list of authorised bots. There are some users who host their code on services different from github.com and gitlab.com for whom using JuliaRegistrator or the JuliaHub services isn't an option, however this means that
LocalRegistry.jl
which at least makes this process simpler)I think we should be able to have a mechanism (comment-based? adding a label?) to let the repo maintainers trigger Automerge checks for PRs that they evaluate are safe candidates for Automerge checks. One challenge is that the result of the automerge check should be invalidated if the PR is later modified (e.g. by pushing a new commit), to prevent malicious action.
The text was updated successfully, but these errors were encountered: