rulesets: implement allowed-merge-apps

[marcoieni]

Close #2198

[marcoieni]

It was already present in the branch protection. See #2046

[marcoieni]

for simplicity, I put directly the ID, to avoid having another rest API to call GitHub to query for the ID.
Also, this app is only used in crates-io, so I thought adding an enum between app name and ID was overengineering. We can refine this later if needed.

You can see from the screenshot of the issue linked in the PR body that this app is in the bypass list.

[Kobzol]

Tbh I would rather add the enum variant to document what are all the integrations that we care about (and hardcode the app ID in code, same as we do for bors and Renovatebot).

[github-actions]

Dry-run check results

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing crates-io
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Team Diffs:
    📝 Editing team 'rust-lang/all':
      Adding member 'edmilsonefs' with member role
      Adding member 'graciegregory' with member role
    📝 Editing team 'rust-lang/survey':
      Adding member 'graciegregory' with member role
    📝 Editing team 'rust-lang/triage':
      Adding member 'edmilsonefs' with member role

[marcoieni]

From https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#get-a-repository-ruleset:

[marcoieni]

adding this to minimize the sync team dry run diff

[marcoieni]

@Kobzol one doubt I have: does it makes sense to have merge-bots and bypass-app-ids separated?

[Kobzol]

No, I don't think so. I would suggest merging (:laughing:) merge-bots and bypass-app-ids into allowed-merge-apps, to mirror the already existing allowed-merge-teams.

[marcoieni]

If I delete merge-bots than retrocompatibility becomes a mess. I.e. I need to change all repos files 🤔
Should we do it in another PR?
Should I momentarely add this github app in "merge-bots"? and then rename it in a separate PR?

[Kobzol]

merge-bots is currently used only on rust-lang/rust and nowhere else, so I don't see why we would need to change all repo files 🤔

[marcoieni]

Here is the dry run diff:

Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])

updating the branch to a fixed one from the default is fine.
The bypass actors are changing, but I wonder if this is because the dry run read token doesn't have the read permission for the bypass actors.

EDIT: AI confirmed that's the case

[Kobzol]

This is not for this PR, but I think that those two (along with forbid creation) should be the default.

[marcoieni]

I removed homu because it was unused.
Also I kept the "MergeBot" name here to minimize LoC changed for this PR

[marcoieni]

Not sure why after my latest changes the dry run diff increased:

    📝 Editing repo 'rust-lang/crates.io':
      Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])
            Require code owner review: deleting `false`
            Required status checks: deleting `Backend / Lint (integration_id: 15368), Backend / Test (integration_id: 15368), Backend / dependencies (integration_id: 15368), Frontend / Lint (integration_id: 15368), Frontend / Test (integration_id: 15368)`
            Strict policy for status checks: deleting `false`
            Required approvals: deleting `0`
            Dismiss stale reviews on push: deleting `false`
            Require review thread resolution: deleting `false`
            Require last push approval: deleting `false`

[marcoieni]

I think AI is right:

I'm investigating how I can fix this

[marcoieni]

I decided to setup this field explicitly instead of inferring it via code (in case the app is bors).
But let's see the dry run.

[Kobzol]

This should be changed to check if allowed_merge_apps contains Bors (not just that it is empty). That should fix the diff.

[marcoieni]

yes, but I thought that having the config more explicit was better instead of this custom logic. Wdyt? 🤔

[Kobzol]

I think that this logic is fine. The high-level config should be "bors managed this branch", and then team should do whatever is necessary to make that happen. Setting pr-required = false just exposes (just one) implementation detail of that. So I'd rather just say that bors can push to this branch, and interpret that is it being bors managed, and set the various protection options accordingly.

[marcoieni]

ok, I'll change this

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[marcoieni]

The dry run looks good now:

    📝 Editing repo 'rust-lang/crates.io':
      Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])

[Kobzol]

This will break triagebot. I think that we should split this PR into two, make the first backwards-compatible by just adding the new code, then merge it, update triagebot and only then start using the new variants.

[marcoieni]

is 5ec5088 what you had in mind?

[Kobzol]

It's not enough, because after this PR gets merged as-is, the API will return the crates-io-workflows variant of this enum, and triagebot will fail to deserialize it.

[Kobzol]

Kind of a meta-point: I wonder if we should stop using the V1 API in sync-team. We often break the API by making changes that are only required for sync-team, but now that we have sync-team in-tree, we could just directly work on the TOML representation in it. Other tools don't need to know about allowed merge apps or even branch protections.

[marcoieni]

I don't know how other tools use the API. From me, +1 on anything that makes this repo simpler 👍

[ubiratansoares]

Awesome work here!