Don't require write access to repository when moderation=true, fork instead of branch

[meygerjos]

The staticman github bot shouldn't need write access to the repository if moderation is set to true. Instead of branching and making a pull request, it can fork and make a pull request. This way there is less at stake if the bot is compromised.

[fabacab]

The Gitter Badger works this way, FWIW.

[meygerjos]

So I tracked down the documentation for the github Node.js module being used, and apparently it explicitly disallows pull requests from separate repositories. In Pull Requests - Create:

The branch (or git ref) you want your changes pulled into. This should be an existing branch on the current repository. You cannot submit a pull request to one repo that requests a merge to a base of another repo.

This is strange. This Node.js module is a wrapper for the github API, which allows such pull requests. The notorious GitHub bot image-optimiser used the Ruby gem httparty to directly access the API and make such pull requests, as can be seen in its source code. The github API has not disallowed this since image-optimiser was active, since Gitter Badger still does it, as @meitar pointed out.

[eduardoboucas]

This sounds interesting. I'd love to see a PR! :)

[meygerjos]

Actually I misinterpreted the documentation for the github module. It's totally possible to pull in changes from a separate repository. All that the passage in the documentation said is that the repository that changes are being pulled into must be the same repository that has the pull request on it, which makes a lot of sense.