chrisguindon
commented
3 years ago Before we do anything, let's wait for answers to our questions on the bug that triggered this issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=570548
Open autumnfound opened 3 years ago
chrisguindon
commented
3 years ago Before we do anything, let's wait for answers to our questions on the bug that triggered this issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=570548
autumnfound
commented
3 years ago @mbarbero Looking at the issue, it looks like the current solution to the issue is to support the field github.com-dependabot. I'm concerned about the scalability and maintainability of this solution, as it pertains to additional types of active bots on other services. We would need to patch in new exception cases into the API for some services but not others. Are there any thoughts to how we can address this?
mbarbero
commented
3 years ago Issue is that we cannot really support "support@github.com" as a valid bot email without some context as this email address is used by many github services that we may or may not support. We need some context to describe why "support@github.com" is effectively considered as the email address of a bot account.
chrisguindon
commented
3 years ago @mbarbero that works for me.
@autumnfound Do you have any other questions or concerns? If not, let's add it to your to-do list!
autumnfound
commented
3 years ago I still have concerns but I can take care of it yeah
chrisguindon
commented
3 years ago @autumnfound Please share, we can discuss this here!
autumnfound
commented
3 years ago it comes down to scalability. How do we scale for things that we don't know yet? Do we go lax and just match on all bots that have a key of (sitename)-.* for watching for bots, or do we code specific bots and make patches whenever we introduce a new bot (which would be hard to maintain)
autumnfound
commented
3 years ago We just had a call to hash out the solution, and we will be updating our bot logic to check if any of the bot email addresses match the commit email address. This was pointed out as a potential use case for things like repository mirroring, and that these email addresses are aliases, rather than separate entities.
autumnfound
commented
3 years ago Additionally, there was no limiting of bots to the current project, which was pointed out in the above-stated call. The PR for this issue also fixes this issue.
gdams
commented
3 years ago I have raised a feature request in the dependabot repo to help work around this. https://github.com/dependabot/dependabot-core/issues/3849
In terms of what the service is checking, failure is the correct answer, but we should probably look at how we validate users to see if there is a clean way of handling accounts like dependabot (widespread usage external bots).