Won't auto-merge valid, approved, tested PRs

[jftanner]

Odds are good that I'm missing something obvious, so I'm hoping someone can point me in the right direction.

Configuration & Use-Case

Here's the way I have things set up, and why. I'll explain in as much detail as our security policy allows.

We must have branch protection rules in place, along with a CODEOWNERS. However, we have a couple Node modules that are re-used in many, many services, so we want non-breaking changes to those modules to be auto-merged into the other services as quickly as reasonably possible. So, we found a way to get auto-merge working. It's not fully working though, as I'll describe later.

Here's our configuration:

• We've got a standalone Github Enterprise instance.
• We're required to have CODEOWNERS, for security.
• We run Renovate-on-Prem in a Kubernetes cluster.
• We have a purpose-built app that uses a special user account (not a Github Bot) to automatically approve Renovate PRs that have auto-merge configured.
• We've got a couple repository checks configured, but no statuses.

What we expect

1. When Renovate finds a new version, it opens a PR immediately.
2. Initially, the PR is blocked because it's not approved and hasn't passed required checks.
3. That PR is automatically approved by our automated approver.
4. Our checks complete, turning the PR "Green".
5. Renovate immediately merges the PR.

What actually happens

1. ✅ Renovate finds a version (eventually) and opens a PR. (I think we just need to make it scan more often. Though having an a API to call to trigger a scan would be way better, since we could do that whenever we release a new version of our node modules.)
2. ✅ The PR starts blocked.
3. ✅ The automated approver approves, if and only if the PR includes Automerge: Enabled.
4. ✅ The checks complete and the PR turns green.
5. ❌ Sometimes renovate merges the PR. But usually, nothing happens at all.

Watching the logs from Renovate, it seems like it finishes the work queue right away, before the check runs even register. Example:

DEBUG: PR is configured for automerge (repository=REDACTED, branch=renovate-REDACTED)
DEBUG: getBranchStatus(renovate-REDACTED) (repository=REDACTED, branch=renovate-REDACTED)
DEBUG: branch status check result (repository=REDACTED, branch=renovate-REDACTED)
       "state": "pending",
       "statuses": []
DEBUG: No check runs found (repository=REDACTED, branch=renovateREDACTED)
       "result": {"total_count": 0, "check_runs": []}
DEBUG: PR is not ready for merge (branch status is yellow) (repository=REDACTED, branch=renovate-REDACTED)

However, when the checks finish, there's no output that indicates that Renovate received another event that might trigger a merge. It's possible that it would merge automatically the next time it does a scan. But that won't be until the next morning, which is way too long a delay for us.

What's strange, though, is that there are some repositories where it does automatically merge without any problems. I'm still trying to figure out what the difference might be, but haven't had any success so far.

Tl;Dr

Sometimes renovate will merge its PRs, sometimes it won't. I haven't yet figured out the difference between the two situations. Any advice would be greatly appreciated!

And, as a side question: is there an api/mechanism to trigger a scan of all repos (or even specific repos) when we release a new version that we know needs to be consumed?

[rarkins]

In my past experience, GitHub won't allow a merge if there's a pending codeowner review, even if others have approved. In other words, automerge and codeowners are unfortunately incompatible due to how GitHub works

[jftanner]

I should clarify that the CODEOWNERS file defines a team (microservices-maintainers) as the owner, which the automation user is a member of. So after it approves, the PR is fully green with no pending reviews.

[jftanner]

As an example, this is what it looks like on the PR page:

[rarkins]

I think I maybe misunderstood your original post, because of the title.

Do you really just mean "Renovate takes too long to automerge PRs?" because you have an expectation that it should run a job immediately after the branch turns green?

If so, such a feature is not supported or documented, so it's a matter of mistaken expectations. Renovate enqueues jobs hourly by default and should automerge the next time it runs.

[jftanner]

As far as I can tell, it doesn't seem to ever auto-merge for some repos. Even if left overnight.

[rarkins]

What is the (debug) log for when it does run on that repo? It should run on each repo up to once per hour (depends on how many repos you have, but a job is enqueued hourly for each repo).

[jftanner]

That's a good question. I don't have any PRs open at the moment and am on vacation until Thursday, but I'll create one and stream the logs when I get back.

[rarkins]

BTW setting LOG_FORMAT=json is useful if you are streaming them to an external log system

[jftanner]

It looks like there's a couple things going on here. The first is quite embarrassing. Apparently, I already figured out that PRs won't get auto-merged immediately. My auto-approve bot automatically merges PRs by itself, when possible. I compared two PRs: one that had auto-merged immediately and another that was approved but pending. I realized, way too late, that the auto-merged one wasn't merged by Renovate, but rather by my own bot. Apparently I completely forgot an entire feature I wrote a year ago. :'(

I've got three different results:

• Some repos are immediately auto-merged by my code, that I forgot about.
• Some repos are approved (but not merged, for some reason) and are merged by Renovate next time it runs.
• Some repos are approved and green but Renovate won't merge them.

I have no idea what causes the third result. But, given that it works for other repos, the issue must be somewhere in my repo configuration. So, I'll figure it out. (Or fix my auto-approver to merge everything reliably.)

Sorry for wasting your time!