Comments (8)
The feature request is legitimate, we need to pay special attention to the attack surface. If you look into how this action works, which is also described here, we're working around limitations in permissions of the GH token by delegating the merge to an external GH app. Hence, we need to be extra careful which PRs that application is capable of merging.
With that being said, I don't see this feature request necessarily impacting the attach surface. The action would have to be changed to accept a PR number, which could come from anywhere, including workflow_dispatch trigger inputs. If that is not provided, the current behavior is preserved.
The syntax would then look something like:
name: automerge
on:
workflow_dispatch:
inputs:
pr:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
steps:
- uses: fastify/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
pr: ${{ github.event.inputs.pr }}
from github-action-merge-dependabot.
Meanwhile this issue is legit i'm wondering how you can wait for all your CI runs if it's not in the same workflow file. Do you have an example?
For this we need to add a check for the ref branch and find if there is a PR associated to it in prior. Would you want to work on this feature and write a PR for it?
from github-action-merge-dependabot.
I will try to make time to take a look at making this change. Our CI provider is CircleCI, I believe I can derive the PR number from a job triggered by a pull request.
from github-action-merge-dependabot.
I am testing this a bit, and in addition to the PR number, we would also need to derive these details:
- user (currently pulled from
pr.user.login
) - package name (currently pulled from
pr.head.ref
)
I can easily get the ref in the workflow event, it's in github.context.payload.ref
. Seems like the user (the initiator of the PR that triggers everything) should also be sent as input from CI though. Does this seem correct?
name: automerge
on:
workflow_dispatch:
inputs:
pr:
required: true
user:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
steps:
- uses: fastify/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
pr: ${{ github.event.inputs.pr }}
user: ${{ github.event.inputs.user }}
from github-action-merge-dependabot.
Wouldn't it be better that the user resolution will done using the PR number?
Isn't the github.actor
populated with the good user?
from github-action-merge-dependabot.
The user
value is used in the code to determine isDependabotPR
. I think you could also derive this from the ref
based on a pattern match to what we know dependabot branch names look like. So another option is to not use user
at all.
For my tests, when I am doing a workflow_dispatch
via API, it looks like actor
is going to be the owner of the generated personal access token, so in my case, jhoffmcd
.
from github-action-merge-dependabot.
While thinking about and working on this, please always consider that any user provided input is a possible attack vector, hence we want to minimize it. As I described earlier, I don't think that anything other than the PR number is necessary
from github-action-merge-dependabot.
After taking a look at what the code is checking for, I thought it would be easier just to fetch the pull request data from the supplied input. That way we still only need the PR number provided by the CI/script that initiates the manual workflow request. All the other functionality should remain the same.
from github-action-merge-dependabot.
Related Issues (20)
- Release pending!
- Major version update is auto-merged with target set to minor HOT 16
- "Fetch metadata" step is skipped for "pull_request_target"
- Release pending!
- Clarify meaning of "target" option HOT 1
- Receiving 'Warning: Semver bump '' is invalid!' message HOT 3
- Fail with meaningful error in case an unsupported trigger is used HOT 1
- remove semver as dep HOT 1
- deprecation warning in test/log.test.js HOT 1
- use nearform-actions HOT 1
- remove gitdiff-parser as dependency HOT 1
- use esbuild instead of ncc
- Feature: Allow defining targets per pattern or group
- replace husky with @fastify/pre-commit
- use taprc and show coverage report HOT 1
- Suppress warning in CI/CD pipeline HOT 1
- remove @actions/github HOT 1
- Output does not seem to appear HOT 2
- Frequently see error "Pull request is in unstable status" (but all validation checks pass) HOT 4
- Release pending!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-action-merge-dependabot.