Auto-merge support with "restrict who can push to this branch" #86
Comments
|
There's an issue on the GitHub platform forum, which is their preferred way to receive app-related feedback. Adding your voice there might help: |
|
I've gone ahead and replied and asked for an update. Unfortunately GitHub is slow as can be to do the most basic of things. |
|
Plus one, is it possible for us to add |
|
Good question. Sadly not at the moment - we'd need to build a bunch of automation around |
|
Any progress on this one @greysteil ? |
|
This one's still with GitHub support. I chased them about it last week and just got another "it's on our roadmap" email. I know they're very busy, but hope this will become a priority eventually. In the meantime, the best way to help is probably emailing support@github.com. |
|
We'd be very interested in a proper solution as well... Basically we want human prs to be reviewed before merging into our dev branch. However dependabot prs should be ok to auto merge. We could solve this independently from dependabot, however ideally it's solved by dependabot (if possible). @greysteil What would be a appropriate request for the email you provided? If you post a template here more people might be tempted to sent that. |
|
I'd go for something like this:
|
|
@greysteil Thanks! We've solved this now in circleci using gally (disclaimer I'm the author) and a separate "bot" github user. Not as clean as I'd like it to be (oh circle why do you make our life so hard), but works great. Excerpt (job): gally-auto-merge:
docker:
- image: 'circleci/node:10'
steps:
- run:
name: Set PR number because circle :(
command: |
echo 'export CIRCLE_PR_NUMBER="${CIRCLE_PR_NUMBER:-${CIRCLE_PULL_REQUEST##*/}}"' >> $BASH_ENV
source $BASH_ENV
echo $CIRCLE_PR_NUMBER
- checkout
- run: sudo npm i -g gally
- run: ga approve $CIRCLE_PR_NUMBER --condition "base.ref=dev&state=open&user.login=dependabot[bot]"
- run: ga merge $CIRCLE_PR_NUMBER --condition "base.ref=dev&state=open&user.login=dependabot[bot]"If you don't need approval you can skip that step in the job. Note that this requires the $GH_TOKEN environment variable to be set and contain the api key for the bot user. |
|
I've played with this bot, and with some hacking managed to get it to auto-approve dependabot PRs so they then can be merged. @greysteil, Ideally, this would be a new config option in dependabot, but I'm not sure if it is as simple as that. You can't normally approve your own PR, but maybe you can through the API? Otherwise, how about a new bot - approvabot ? |
|
We can't approve our own PRs, but a GitHub action to automatically approve them ought to work. I think @hmarr had something basic thrown together. |
|
I've just fixed up the auto-approval action I threw together a while ago and made the repo open source. If you have access to GitHub Actions (and are using a private repo, as I gather they're not yet enabled for open source repos), this should do the trick for you. |
|
@hmarr That bot does not seem to solve the issue. For clarification, this issue is about the "Restrict who can push to matching branches" option, which only allows the specified users or teams to push to the branch. What your Action solves for is when "Require pull request reviews before merging" is enabled, which is not the point of this issue. |
|
Any workaround without GitHub Actions (I'm not yet into the beta 😢)? |
|
We're working on a general fix for this in GitHub right now (i.e., allowing you to specify bots as actors that are allowed to push to protected branches). |
|
For those who don't have GitHub Actions yet the Here is my from_owner:
- dependabot-preview[bot]
required_labels:
- dependencies
apply_labels:
- autoapproved
So basically:
|
|
@nicolasrouanne that kind of fix is unrelated to this issue, as I previously mentioned:
|
|
@Mcat12 we'll have a fix for that direct in GitHub (and usable for other apps, not just Dependabot) in the next few days. @feelepxyz is working on it right now 🙂 |
|
@greysteil Can you update this issue when the feature has been released? |
|
For sure. The whole of GitHub is at a big offsite this week so it won't happen in the next 7 days, but the code is almost ready and should be deployed next week. |
|
@greysteil enjoy your offsite |
|
Perhaps it should be an issue of its own, but for several of our repositories we do not trust our test coverage enough to go full automatic. One of our repositories now uses autoapprove + dependabot and that's working nicely, but for two other repositories we'd prefer to manually approve pull requests from dependabot and have dependabot merge them as soon as all other status checks have come back positive. That way we don't have to wait for the build to complete. I may have been rambling a bit, so maybe this could summarise the option I'd also like to see (next to the fully automatic solution):
And
Currently we get:
Which is preventing us from doing that while we're working on our test coverage |
|
It’s still happening, but it’s slow. Here’s how it works internally at GitHub:
- Dependabot is a team here
- Another team (ecosystem-apps) owns the experience and code here
- We’ve chatted to them, got the work scopes, and started working on it with their blessing (they’ll be responsible for hitting merge)
- As part of the work we’ve found a bunch of debt around permissions which we’re working to clear up, but it’s slow going for us because it’s not our area and the person who was working on it is on holiday
- We’ll keep pushing and get this over the line (I’ll update here if we ever *don’t* have someone working on it!)
Stay with us - we’re working on it but it’s hard!
… On 1 Aug 2019, at 08:00, Alex Cazacu ***@***.***> wrote:
Are there any updates on the incoming change?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
You could use policy-bot from palantir that replace and enhance the branch protection by adding a status check to the pull request. If you configure your repo with branch protection for status check. Then you should be able to merge even if it is a bot. https://github.com/palantir/policy-bot |
|
👋 We've just shipped the UI to allow installed GitHub Apps to push to protected branches, you can add installed apps from the repository settings for the protected branch:
Short video walkthrough: https://drive.google.com/open?id=1i15psbTl7LhSMhNCi9tom-OdgybM9slQ If you've got required pull request reviews set Dependabot will still fail to merge the pull request until it's approved. You can get around this with a GitHub action to auto approve these pull requests: https://github.com/hmarr/auto-approve-action We're still working on the corresponding APIs to query/update apps as allowed actors on protected branches (GraphQL v4 and Rest v3). Planning on publishing these by next week. There's also a bug when using git auth (e.g. git push with credentials) preventing apps from pushing to protected branches even though it's been authorized. Should be fixed by next week. 🎉 |
|
@feelepxyz Can you please update this ticket when this is supported through the api? Cheers! |
|
@simlu the APIs are now live 🎉 Updated GraphQL API:
Updated Rest API: https://developer.github.com/changes/2019-09-05-apps-protected-branches-api/ |
|
Any news on this one? |
|
@localheinz this should be working now if you add |
|
The actor
What do I need to do to make this happen? |
|
I'm also not seeing the name show up.
|
|
@philsturgeon @localheinz oh looks like this is broken. Will investigate! |
|
@localheinz @philsturgeon workong on a fix in github but going to take some time to get this out amidst the holidays. You can work around it by explicitly selecting the repos that |
|
Can confirm that selecting repositories manually allows to select
|
|
Not sure if this is a different issue, but I still do not see Dependabot automatically merge pull requests. Apps allowed to push to matching branches
|
|
I'm still not seeing the option to add dependabot-preview (or any other dependabot users) to my list of people with push access. Is this bug not completely fixed? I am also unable to manually select all repositories (since we have thousands, and need our bot to automatically have access to new ones). Any updates on this bug? |
|
@romrell4 this should be fixed now. Was on hold over the break. @localheinz yeah looks like the required reviewers settings are preventing the automerge: ergebnis/composer-normalize#283 (comment) there's an option to treat a PR approval as a request to merge in your dependabot dashboard settings:
|
|
Thank you, @feelepxyz! |
|
Just to clarify my understanding on this issue, is this summary of the situation correct? Dependabot can now be added with permissions to push to protected branches, but it can't approve its own PRs. In order to trigger the merge, you still need either a manual approval, or another bot/action (other than dependabot) to approve the PR, even if a PR matches rules in automerged_updates. |
Yep, that's correct! Here's an example GH Action to auto-approve: https://github.com/hmarr/auto-approve-action (going to lock this issue) |
Currently auto-merge is not possible for any branch that has "restrict who can push to this branch" enabled in branch protections.
Unfortunately GitHub does not currently allow adding bots to the list.
Is there any way to communicate with GitHub, especially since Dependabot is a Marketplace app?
The text was updated successfully, but these errors were encountered: