new `bot_account` policy effectively makes rebase a premium feature when used in conjunction with renovate or other bots

[DanySK]

Expected Behavior

It is possible to rebase PRs created by GitHub applications (such as dependabot or renovate) with the free version of mergify. Worst case, with the previous behaviour (randomly picked user with sufficient rights)

Actual Behavior

Leaving bot_account unspecified prevents the rebase (the user cannot be impersonated). Specifying the bot account makes Mergify fail (premium feature)

Steps to Reproduce the Problem

1. Create a repository and enable renovate
2. Configure mergify for rebasing out-of-date PRs from renovate[bot]
3. Let renovate open a PR
4. observe mergify fail

Specifications

Example config triggering the problem

pull_request_rules:
  - name: Auto-rebase if appropriately labeled or if the author is an authorized bot
    conditions:
      - or:
        - label=auto-update-rebase
        - and:
            - label=dependencies
            - or: &authors_are_bots
                - author=renovate[bot]
                - author=dependabot[bot]
      - -draft
      - -conflict
    actions:
      rebase:

[DanySK]

Suggested solutions:

• try the PR author first, and then random org members (fallback to previous behavior)
• if the new behavior is intentional, consider not running the operation and notify with a message rather than failing entirely (thus also blocking auto-merge from renovate).

[sileht]

if the new behavior is intentional, consider not running the operation and notify with a message rather than failing entirely (thus also blocking auto-merge from renovate).

Hi @DanySK do you have a pull request link where we can see the failure?

[DanySK]

Sure: https://github.com/AlchemistSimulator/Alchemist/pull/2086

Edit: adding a snapshot, as in case of modifications the run would be different

[DanySK]

It is even worse: also explicitly excluding accounts that cannot be impersonated lead to an error in mergify:

pull_request_rules:

  - name: Auto-rebase if appropriately labeled
    conditions:
      - label=auto-update-rebase
      # work around for Mergifyio/mergify#5074
      - not:
          or: &authors_are_bots
            - author=renovate[bot]
            - author=dependabot[bot]
      - -draft
      - -conflict
    actions:
      rebase:

Tested on: https://github.com/DanySK/shared-slides/pull/73

[sileht]

The new behavior is due to this change: https://changelog.mergify.com/changelog/rebasing-pull-requests-with-a-random-user-is-deprecated

[DanySK]

Yes, but, with the new policy, rebasing may cause Mergify to fail. I would suggest having an option like fallback_to_random_org_user, defaulting to false. Mergify would then:

• if bot_account is specified, use the bot account
• if bot account is unspecified (or cannot be specified, as the account has no premium access):
  • if the author of the PR can be impersonated, run impersonating the author of the PR
  • if the author of the PR cannot be impersonated and fallback_to_random_org_user is true, find a member of the organization to impersonate (legacy behavior)
  • otherwise, fail.

[jaellio]

I believe I am running into the same issue using the rebase action with dependabot as the PR author. I get the following error:

In the rule Automatic rebase, the action rebase configuration is invalid: Invalid bot_account value GitHub login contains invalid characters: dependabot[bot]

Is there a potential workaround for PRs created by GitHub applications to still utilize the rebase action?

[DanySK]

Since bot_account is no longer a premium feature, the original issue can be resolved by using a machine user with force-push permissions.