Possible rule bypass

[psychon]

The fix for #24 (which is 74c6856) allows a configuration bypass:
I just add a PR that changes .mergify.yml to require zero reviews etc. Unless something in the code prevents "just merge anything"-configs, this PR will be merged. Assuming the project in question also uses Travis, this method could e.g. be used to extract secrets from Travis (which is why Travis uses the .travis.yml from the default branch and not from the PR).

Ref: awesomeWM/awesome#2260 (comment)

[sileht]

I have started to work on this: 8c89c7a

[sileht]

It's finished that and pushed it in production.

The fixed behavior have been documented in the Note here:
https://doc.mergify.io/getting-started.html#mergify-is-now-ready-what-will-happen-next

[blueyed]

be used to extract secrets from Travis

How so? Not via Travis itself at least.
Because Mergify also allows to run code / custom callbacks?

[psychon]

Assuming we can get in a commit, you just change the .travis.yml to print out all secrets via echo $GH_TOKEN (or something like that). The PR that exists to merge this will run without the secret values, but the build for the master branch that happens after the PR is merged has access to the secrets and can print them out (or send them via netcat somewhere in the internet, or ....).

[blueyed]

@psychon
I see, thanks for explaining! (I am slow today)