Open autumnfound opened 3 years ago
Before we do anything, let's wait for answers to our questions on the bug that triggered this issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=570548
@mbarbero Looking at the issue, it looks like the current solution to the issue is to support the field github.com-dependabot
. I'm concerned about the scalability and maintainability of this solution, as it pertains to additional types of active bots on other services. We would need to patch in new exception cases into the API for some services but not others. Are there any thoughts to how we can address this?
Issue is that we cannot really support "support@github.com" as a valid bot email without some context as this email address is used by many github services that we may or may not support. We need some context to describe why "support@github.com" is effectively considered as the email address of a bot account.
@mbarbero that works for me.
@autumnfound Do you have any other questions or concerns? If not, let's add it to your to-do list!
I still have concerns but I can take care of it yeah
@autumnfound Please share, we can discuss this here!
it comes down to scalability. How do we scale for things that we don't know yet? Do we go lax and just match on all bots that have a key of (sitename)-.*
for watching for bots, or do we code specific bots and make patches whenever we introduce a new bot (which would be hard to maintain)
We just had a call to hash out the solution, and we will be updating our bot logic to check if any of the bot email addresses match the commit email address. This was pointed out as a potential use case for things like repository mirroring, and that these email addresses are aliases, rather than separate entities.
Additionally, there was no limiting of bots to the current project, which was pointed out in the above-stated call. The PR for this issue also fixes this issue.
I have raised a feature request in the dependabot repo to help work around this. https://github.com/dependabot/dependabot-core/issues/3849
In terms of what the service is checking, failure is the correct answer, but we should probably look at how we validate users to see if there is a clean way of handling accounts like dependabot (widespread usage external bots).