Comments (3)
asanderson15
commented on May 27, 2024
+1 for having this - would be very valuable for Rubix.
from policy-bot.
bluekeyes
commented on May 27, 2024
I've started researching how to implement this and I think it will be hard to add a perfectly secure option, i.e. one that only allows merge commits with no user modified code. This is because merge commits usually have unique trees and the trees contain new blobs for files that were modified in both parents. I haven't found a way to distinguish automatically resolved files from manually resolved files, and I suspect it isn't possible without requiring additional metadata. It's unclear how GitHub Reviews decide if a merge commit counts as an update, but they probably have access to data not exposed in the API.
There's also a second issue: performing tree comparisons potentially requires a lot of GitHub API calls (up to one for each directory in a repository for each parent commit.) Ideally we could avoid comparing trees to support this.
Proposal
Add an ignore_update_merges option to the options structure for approval rules. If this option is true, policy-bot will ignore for the purpose of approval any commit X where all of the following is true:
- Has two parents
- The
committedViaWebproperty istrue - One parent is in the last N commits of the target branch
This should ignore any merges committed by clicking the "Update Branch" button in the UI. It won't be able to tell if the merge resolved a conflict, so there's a possibility to add code without approval by resolving a merge conflict in the UI editor.
It will not allow local merges that update the branch, but this seems acceptable. We'll may also have to make sure it can ignore merge commits created by Bulldozer using the update feature.
N would be set to something like 100 (the largest allowed page size), which means commits that merge in old versions of the target will not be ignored. I think this is fine, since I believe people mostly want this for PRs that have been approved but need one more update before they can merge due to the required up-to-date check in GitHub.
from policy-bot.
bluekeyes
commented on May 27, 2024
Looks like Bulldozer merges count as "web" commits (I guess because it uses the API), so we should be set there:
{
"commit": {
"author": {
"name": "bulldozer[bot]",
"email": "bulldozer[bot]@users.noreply.github.domain",
"user": {
"login": "bulldozer[bot]"
}
},
"committer": {
"name": "GitHub Enterprise",
"email": "[email protected]",
"user": null
},
"committedViaWeb": true
}
}from policy-bot.
Related Issues (20)
- [Feature Request] Merge queue compatibility HOT 3
- Publish linux/arm64 Docker container
- Rule to make it possible to self-approve for certain users HOT 1
- Failure status check on branches not configured HOT 3
- Restrict approvals from the PR contributors even if contributor is not the owner of the PR HOT 2
- Prevent search engines from indexing policy bot... HOT 2
- [Question] default reviewer for non matching rules HOT 2
- How to ignore a user's approval in one team when the user is member of two approval teams? HOT 2
- Policy bot stuck on `Commit hash does not have a pushed date` HOT 29
- Trouble loading policy from repo HOT 2
- Allow '=' as comparison operator HOT 1
- Misleading documentation about file path regular expressions HOT 1
- AppID ENV Variable not respected HOT 2
- Confusing behavior with skipped checks. HOT 5
- Add feature to use request more reviewers than required count in case of random-users HOT 1
- [Question] Approval by teams agregator
- Declarative Testing of Policies HOT 5
- Certain merges can lead to ignored commits during evaluation
- Request for Advice on Using Policy Bot in Open Source Projects for Testing, Approving, Merging of PRs HOT 3
- If no rule matches can policy-bot not set a failed status on the PR? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policy-bot.