Open giordano opened 1 week ago
safe candidates for Automerge checks
Safety isn't that hard for Automerge to assess itself. It could e.g. require that some key information is given in the PR body, then call RegistryTools itself to see if it gets the same file changes as in the PR.
Another question is whether the PR author should be allowed to make registrations for the package. That could e.g. be solved by having a file in the package repo listing approved users.
Currently Automerge checks are run only for PRs opened by a limited list of authorised bots. There are some users who host their code on services different from github.com and gitlab.com for whom using JuliaRegistrator or the JuliaHub services isn't an option, however this means that
LocalRegistry.jl
which at least makes this process simpler)I think we should be able to have a mechanism (comment-based? adding a label?) to let the repo maintainers trigger Automerge checks for PRs that they evaluate are safe candidates for Automerge checks. One challenge is that the result of the automerge check should be invalidated if the PR is later modified (e.g. by pushing a new commit), to prevent malicious action.