Random thumbs up in comment shouldn't approve PR about policy-bot HOT 8 CLOSED

Right, the actual values used for approval are fully configurable using the methods section of options (defaults below):

  methods:
    comments:
      - ":+1:"
      - "👍"
    github_review: true

You can also only accept GitHub reviews for approval.

from policy-bot.

Even if 👍 is the whole comment, it's definitely not obvious.

It's how I accidentally merged and released a PR that definitely shouldn't have been merged and released, just by trying to ack somebody else's comment.

from policy-bot.

it's a very weird feeling to have to worry about my choice of emoji so as to prevent accidentally releasing code.

from policy-bot.

CC @iamdanfox

from policy-bot.

So as a short-term remediation, we can just explicitly declare the type of approvals we consider valid in the the foundry default policy and override the defaults, maybe it should be a string like ==LGTM== or ==APPROVED== so it's hard to misfire?

from policy-bot.

Why allow anything but an actual approval?

from policy-bot.

bumping this issue. now that standardization PRs have been rolled out across the board, it's quite a bit harder to know how and where to make changes to override these defaults.

combined with the fact that our automation has achieved impressive levels of sentience (via eggtimer, bulldozer, canaries, etc), this means that an accidental 👍 comment made by someone could have pretty far-reaching effects.

can we please have the default changed to something safer? I like the ==LGTM== idea above.

from policy-bot.

Moving internally since this is a discussion on a specific policy file and not the bot itself.

from policy-bot.