feature | start-date | author | co-authors | shepherd-team | shepherd-leader | related-issues |
---|---|---|---|---|---|---|
no-direct-pushes |
2023-07-21 |
Silvan Mosberger |
(find a buddy later to help out with the RFC) |
(names, to be nominated and accepted by RFC steering committee) |
(name to be appointed by RFC steering committee) |
(will contain links to implementation PRs) |
Require pull requests for all Nixpkgs commits.
There are currently 197 people with commit access to Nixpkgs, all of whom can push directly to any branch without a pull request. Such pushes generally1 do not notify anybody and do not trigger CI.
This makes such commits susceptible to:
- Be anonymous2
- Include malicious code
- Be broken
- Have poor code quality
While requiring pull requests isn't a panacea, it does help by:
- Running CI (though there's no requirement for it to succeed, see future work)
- Requesting reviews from Nixpkgs maintainers via CI
- Requesting reviews from code owners
- Tying commits to a GitHub account
- Being discoverable in the pull request list using various filterable and sortable metadata such as (manually and automatically assigned) labels, update time, authors, reviews, etc.
Turn on GitHub's "Require a pull request before merging" branch protection rule for all branches whose commits get propagated into channels. This includes:
master
: Used for unstable channels and branched into new release branchesrelease-*
: Used for stable channels
Staging branches are intentionally not included, because they will already require a pull request when they inevitably need to get merged into one of the above branches.
The same applies to similar long-term branches like haskell-packages
.
A NixOS GitHub organization owner needs to implement this change and should therefore review this proposal.
There is a GitHub Actions workflow to detect directly pushed commits. When detected, it creates a comment in the commit pointing out that this is discouraged and linking to this issue, where it's easy to see all direct pushes. The script occasionally has false positives3, which creates some unnecessary commit comment notifications.
With this proposal accepted it won't be possible to directly push commits anymore, making that workflow unnecessary. It can be removed and the above two issues can be closed.
Out of the 112217 commits to master in the last year4, at most 58 (0.0517%) of them were direct pushes.
To determine whether a commit was pushed directly, the GitHub API was queried for pull requests associated with that commit (see associatedPullRequests
).
If this list includes a merged pull request to the Nixpkgs master branch, the commit is known to be merged with a pull request.
Otherwise the commit could be directly pushed or be a false positives, which is why the above count is only an upper bound.
All obvious false positives (example) have been removed from this count and listing already.
Complete listing of the 58 potentially directly pushed commits in the last year
1ce07adbe05e
@trofi - mutt: use more ubiquitous "eee-" placeholder instead of one-off <>205ee073b053
@vcunat - Revert "texlive.combine: expose licensing information of combined packages"789271b2c8a4
@vcunat - python3Packages.hickle: fixed failing unit tests69867f9de40f
@vcunat - transmission: drop myself from .meta.maintainers82082e931fd7
@vcunat - vtm: avoid using an alias62d347770a26
@ehmry - nimPackages.eris: wontfix darwine2ccc3dd9f4d
@ehmry - cjdns: mark broken for aarch642c28f1de7cdc
@RaitoBezarius - 23.11 is Tapir8607b80c8560
@sternenseemann - haskellPackages.memfd: mark supported on linux onlyd925734d3bb7
@ehmry - Nim: add meta.mainProgram6c43a3495a11
@vcunat - linux_6_1: fixup evaluation without aliasesfa8367c2d507
@vcunat - linux_6_1: rebuild on x86_64-linuxe25dc4a95ed6
@jtojnar - nixos/nginx: Fix listen string generation331e2a1c1075
@bjornfor - prometheus-smokeping-prober: cleanup versionfe2ecaf706a5
@vcunat - rocm-thunk: evaluate even on unsupported platforms again7486a74d9f5c
@vcunat - lisp-modules: avoid the replaced pkgs.webkitgtk_5_01010c17591db
@web-flow - python3Packages.tensorflow: remove @jyp frommeta.maintainers
5a8991c6b34f
@ulrikstrid - Fix dune-configurator972b0fa87ffc
@vcunat - xdp-tools: fix hash of the patch477de8d913e6
@vcunat - olive-editor: don't use the alias openimageio226f55176e776
@vcunat - Revert #222072: "directx-shader-compiler: remove workaround"006c8313427e
@vcunat - volk: fix eval without allowed aliases53fcb2e5859b
@jtojnar - liblouis: 3.24.0 → 3.25.07b6e7dd796f8
@prusnak - electron-bin: move print-hashes.sh script0724cd4e4cf4
@dotlambda - python310Packages.nextcord: 2.3.3 -> 2.4.0427d0b71b6f7
@roberth - protonup-qt: Fix CI91bf862e3c5c
@web-flow - arrow-cpp: fix meta.broken8030c64577a7
@vcunat - Revert Merge #214786: libvmaf: fix build for BSDa0acf943cc65
@vcunat - python3Packages.zipfile36: fixup meta9abbbc5979d7
@peterhoeg - nixos/plasma5: add tool needed for kinfocenterf265af55c584
@peterhoeg - kinfocenter: add a bunch of tools for additional info880161efe12c
@bennofs - Revert "burpsuite: 2021.12 -> 2022.12.7"8d45d82c71b9
@vcunat - Revert "nixos/tests/installer: test relative paths in initrd secrets"9089ee1796b8
@peterhoeg - {libsForQt5.kpmcore,partition-manager}: * -> 22.12.1c73f29c723c2
@Mindavi - classicube: move runHook postInstall235799128bfc
@Mindavi - classicube: use makeDesktopItem52519fd12e63
@Mindavi - classicube: add .desktop file2c4b97d6a0eb
@zowoq - Revert "luaPackages.lsqlite3complete: init at 0.9.5-1"5be120bac3d3
@bobby285271 - kubernetes-controller-tools: 0.10.0 -> 0.11.15c52e8cbcb32
Yt <happysalada@proton.me> - libsForQt5.mauikit-calendar: init at 1.0.0b660c76d0fbd
Yt <happysalada@proton.me> - cask-server: init at 0.5.621e0f7502b31
Yt <happysalada@proton.me> - libsForQt5.maui-core: init at 0.5.658d84f7f0fb6
Yt <happysalada@proton.me> - maui-shell: init at 0.5.63c6d63d22ca8
@vcunat - rtw89-firmware: fixup build after rtw89 update92b4f173803f
@vcunat - tennix: avoid URL literal42a68e6a36b8
@jtojnar - bundlerUpdateScript: Fix evaluation withallowAliases = false
6184f635b3c3
@maralorn - nixos/doc: Fix typo in 22.11 release manualcdad0ce127b0
@vcunat - nixos/filesystems: fix a typo in docsb68bd2ee5205
@mweinelt - 23.05 is Stoatdf109d0291d3
@bobby285271 - go-graft: 0.2.14 -> 0.2.159971f569a937
@bobby285271 - goeland: 0.12.1 -> 0.12.354be84c3ac01
@teto - pass2csv: 0.3.2 -> 1.0.0636051e35346
@vcunat - linux: avoid NO_HZ_FULL on i686-linux0ab12ad0af7d
@flokli - borgbackup: remove myself from maintainers9e4c57c08966
@jtojnar - sublime4-dev: 4136 → 4137738fe494da28
@shlevy - Merge branch 'nix-plugins-10'ad41e043760e
@jonringer - python310Packages.moto: disable failing tests after werkzeug updated6d2d6c6d7fc
@mweinelt - python3Packages.twisted: skip failing tests on aarch64-darwin
Note This was generated with a fairly hacky and non-reusable script, but it can relatively easily be verified probabilistically by picking a random commit in the time range and checking if it belongs to a pull request, repeat to increase confidence.
Sometimes channels have blocking breakages and need to be fixed as soon as possible (citation needed). Currently this can be done with direct pushes, but a pull request will be required with this proposal. The time required to fix such breakages however is barely affected: Since there is currently no requirement for pull requests to be approved or pass CI, they can get merged immediately after opening if necessary.
The staging workflow is not affected because it already uses pull requests for all merges into the affected branches.
- Even trivial changes that don't need a review now require a pull request, which takes more effort and creates noise for reviewers.
- It takes slightly longer to push a quick fix in emergency situations.
- It would be possible to implement a third-party interface to de-anonymize future commits (even if pushed directly to master) using the push event GitHub webhook, which includes the
sender
field to match the pushing GitHub user.- This would not solve the other problems with direct pushes though: It still wouldn't notify others, trigger CI or be discoverable.
The previous RFC 79 attempted to do the same, but:
- It had a mistaken estimate for the percentage of direct master commits, calculating it to be 46.85% in the last year. The mistake was assuming that all non-merge commits were direct pushes. This made it seem like the change was much more impactful than it actually would've been.
- It was too ambitious by also proposing to require accepting reviews for all pull requests.
More restrictions could be implemented in the future:
- Require all pull requests to have at least one approval, therefore preventing people from merging their own pull requests (it's not possible to approve your own pull request)
- Require an approval by a code owner, properly establishing code ownership over all parts of Nixpkgs
- Require CI to pass, maybe using GitHub's new merge queue's
Footnotes
-
There's no GitHub mechanism that takes care of notifying other people and there's no builtin way to get notified for new commits linked to the direct push issue, but third-party tooling could be implemented to get notified explicitly for direct pushes ↩
-
GitHub does not require committers to match the pushing GitHub account, here's an example. ↩
-
Unix epoch 1658361600 to 1689897600 ↩