Added review-bot to fine tune review requirements
#1673
Conversation
Created a Github Action that uses the [Review-Bot app](https://github.com/paritytech/review-bot) to require more fine tuned requirements to review pull requests before allowing the PR to be merged. This uses [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) for the event, not `pull_request`. This is a security measure so that an attacker doesn’t have access to the secrets.
Added rule which allows the audit team to lock particular important changes when they were created by someone who does not belong to the core-devs team This resolves paritytech/pr-custom-review#136
Added protection to review bot file which would keep this file from being modified by unknown parties. Added `opstooling` as a required team to ensure that this file does not break
Bullrich
requested review from
mutantcornholio,
mordamax,
rzadp and
pavelsupr
Bullrich
added
the
R0-silent
|
Question for the reviewers: Was this the correct course of action? I supposed that a PR that modifies the CI system is not part of the exposed changelog. |
Co-authored-by: Joyce Siqueira <98593770+the-right-joyce@users.noreply.github.com>
|
re. both this and paritytech/pr-custom-review#136, I don't get why there is no way to circumvent a change that is purely aesthetic and should not be audited? |
|
Okay, I found that all two comments:
|
I believe that this was intentional. If I am not misinterpreting @the-right-joyce, she wants to audit only PRs made by external people, and ignore ones from internals.
|
This is too lenient, IMO. All PRs done internal or external, if they will insignificantly alter the Polkadot runtime down the road, must be audited. |
|
@kianenigma isn't Polkadot runtime going to be removed quite soon? |
|
It is already technically removed, but it doesn't change anything about the rule. Some pallets and codes and configs are used in the Polkadot runtime in the fellowship, some or not. |
|
It looks like this bot introduced SRLabs as a required reviewer, which is blocking merging of some PRs atm. I understand this was an unexpected behaviour. Could you confirm? |
|
@0xJayPi it was intended behavior at some level, please refer to paritytech/pr-custom-review#136 |
Created a Github Action that uses the Review-Bot app to require more fine tuned requirements to review pull requests before allowing the PR to be merged.
This uses
pull_request_targetfor the event, notpull_request. This is a security measure so that an attacker doesn’t have access to the secrets.All the rules have been copied from the original
.github/pr-custom-review.ymlfile.I want to clarify, this particular commit is not intended to replace PRCR yet.
Advantages it brings over
PRCRMost of the features available in
PRCRhave been duplicated and enhanced. For a complete detailed write up, please see:The most important features are:
includeandexcludefields now accept an array, making it easier to read the regular expressions.Audit rule, which was requested by @the-right-joyce.Aside from all the rules available in
PRCRI have added a particular rule to lock the review-bot files and require a review from thelocks-reviewteam, the @paritytech/ci team and the @paritytech/opstooling team to ensure that the file has been written correctly.Next steps
The next steps will consist on paritytech/review-bot#53, once this issue has been resolved, and
review-bothas worked without any issues on this repository for a while, we will upgrade it to be able to fully replacePRCR.