Skip to content

Require PRs and passing CI for commits to this repository #84

@MikeMcQuaid

Description

@MikeMcQuaid
Member

There's currently a bot that commits directly which means these branch protections security features cannot be enabled for this repository.

It would be ideal to have the bot open PRs automatically or push the data somewhere other than this repository.

Activity

MikeMcQuaid

MikeMcQuaid commented on May 28, 2024

@MikeMcQuaid
MemberAuthor

Related issue which may provide inspiration: Homebrew/brew#17379

MikeMcQuaid

MikeMcQuaid commented on May 28, 2024

@MikeMcQuaid
MemberAuthor

For example, in this case the regularly regenerated files could instead be deployed to GitHub Pages instead.

self-assigned this
on Jun 13, 2025
MikeMcQuaid

MikeMcQuaid commented on Jun 20, 2025

@MikeMcQuaid
MemberAuthor

@woodruffw @alex Would love to help move this along somehow if I could. The two ways that jump out to me (based on other Homebrew ecosystem things) are:

  1. have the bot create PRs that a human eyeballs and merges instead of pushing direct to main
  2. either this repository or another one instead deploys these JSON files to GitHub Pages which brew-pip-audit then consumes instead of needing these files committed into this repository

There may also be other approaches here that I don't currently see (e.g. plain old GitHub Actions caching of this data). I'm happy to help move forwards whatever approach you think makes most sense here. Right now this is one of the 2 remaining repos that don't have human review for all changes and I'd love to fix that in the next 2-3 months 😁

woodruffw

woodruffw commented on Jun 20, 2025

@woodruffw
Member
  • have the bot create PRs that a human eyeballs and merges instead of pushing direct to main

I'm a fan of this 🙂 -- I think nothing about our current flow would be badly disturbed/disrupted by changing to PRs over pushing directly.

I'm curious if @alex has strong feelings either way; the only "downside" to the PR flow is that a human has to merge it each day (or whatever window we choose), but I don't mind being the one to do that.

alex

alex commented on Jun 20, 2025

@alex
Collaborator

I think having a human review the requirements.txt + audit files we produce every day would not be a good use of time/energy. There's limited meaningful review that could occur beyond "yup, that sure is a requirements.txt file", so I believe any review would be nothing beyond a rubber stamp.

If the goal is to get branch protection on main, I think it'd be far more sensible to simply have all the data lives in a different branch/repo/datastore.

woodruffw

woodruffw commented on Jun 20, 2025

@woodruffw
Member

Yeah, it would be just a rubber-stamp effectively (there's also the annoying bit where machine-generated PRs don't trigger CI automatically unless they come from a PAT or app, although in this context I suppose we don't have that issue thanks to @BrewTestBot).

I suppose having it be a JSON or whatever dump on GitHub Pages would be the best of both worlds then -- no protection bypasses and no rubber-stamp for data-only changes.

alex

alex commented on Jun 20, 2025

@alex
Collaborator

Yes. (It'd also give us a place to put some of the tables that we currently put in GHA output)

MikeMcQuaid

MikeMcQuaid commented on Jun 20, 2025

@MikeMcQuaid
MemberAuthor

Ok, thanks!

@woodruffw are you game to take this on? anything I can do to help? I'd suggest looking at the formulae.brew.sh and rubydoc.brew.sh repos for Jekyll inspiration.

woodruffw

woodruffw commented on Jun 20, 2025

@woodruffw
Member

@woodruffw are you game to take this on?

Yep, I can do it this weekend/early next week most likely 🙂

MikeMcQuaid

MikeMcQuaid commented on Jun 20, 2025

@MikeMcQuaid
MemberAuthor

Thanks for input here too @alex, very helpful ❤

woodruffw

woodruffw commented on Jun 22, 2025

@woodruffw
Member

Working on this in #210!

woodruffw

woodruffw commented on Jun 24, 2025

@woodruffw
Member

#210 completes the machinery of this -- reopening so that this can be fully closed once the repo protections are actually enabled 🙂

MikeMcQuaid

MikeMcQuaid commented on Jun 24, 2025

@MikeMcQuaid
MemberAuthor

Done, thanks @woodruffw!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

help wantedExtra attention is needed

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @alex@MikeMcQuaid@woodruffw

    Issue actions

      Require PRs and passing CI for commits to this repository · Issue #84 · Homebrew/brew-pip-audit