Closed lucabello closed 4 months ago
How was the bot able to merge unverified?
Comments have been addressed!
Noctua can merge PRs with unverified commits because it's bypassing checks (it needs to, in order to bypass our approval on PRs), and that's yet another thing it can bypass
This PR achieves three things:
update-libs
PRs are green (e.g., passsing all the tests), they will be auto-merged;Signing commits
To achieve this, I generated a new GPG key for Noctua, and added it as a secret to our repos; the action
crazy-max/ghaction-import-gpg@v6
configures it, and I modified how we use the PR creation workflow to make sure the commit is authored by Noctua, instead of GitHub Actions.✔️ Here is a signed commit showing that this works.
Auto-merging PRs
To run this on a schedule, I bundled this with the
update-libs
workflow itself; before checking for library updates, the workflow checks for an unmergedupdate-libs
PR that is passing all the checks; if present, it merges it.✔️ This PR was opened (notice the new description mentioning auto-merge) and merged by Noctua on its own, showing this part works.
Major Library upgrade
When a charm library has a major upgrade, charms that use it likely require some changes when updating (as major upgrades are breaking). After discussing it, we agreed that opening a failing PR was a bad idea; so we create an issue, which lists which libraries need to be updated to a new major version.
✔️ You can see issues being opened correctly here.