sign commits for update-libs and automerge minor library updates

lucabello commented 5 months ago

This PR achieves three things:

sign commits made by Noctua (right now they have to be manually signed);
when update-libs PRs are green (e.g., passsing all the tests), they will be auto-merged;
major library upgrades are detected and an issue is created for them.

Signing commits

To achieve this, I generated a new GPG key for Noctua, and added it as a secret to our repos; the action crazy-max/ghaction-import-gpg@v6 configures it, and I modified how we use the PR creation workflow to make sure the commit is authored by Noctua, instead of GitHub Actions.

✔️ Here is a signed commit showing that this works.

Auto-merging PRs

To run this on a schedule, I bundled this with the update-libs workflow itself; before checking for library updates, the workflow checks for an unmerged update-libs PR that is passing all the checks; if present, it merges it.

✔️ This PR was opened (notice the new description mentioning auto-merge) and merged by Noctua on its own, showing this part works.

Major Library upgrade

When a charm library has a major upgrade, charms that use it likely require some changes when updating (as major upgrades are breaking). After discussing it, we agreed that opening a failing PR was a bad idea; so we create an issue, which lists which libraries need to be updated to a new major version.

✔️ You can see issues being opened correctly here.

sed-i commented 4 months ago

How was the bot able to merge unverified?

lucabello commented 4 months ago

Comments have been addressed!

Noctua can merge PRs with unverified commits because it's bypassing checks (it needs to, in order to bypass our approval on PRs), and that's yet another thing it can bypass

canonical / observability