Respond to some @dependabot commands

[mlissner]

First, thanks for the great tool and for making it available for open source repos. I run a small non-profit that does a lot of coding projects, and it makes a huge difference for us to have this running. I appreciate it a ton.

I thought I'd chime in with a funky interaction I often have with the bot, in case it's helpful. I might be weird, but I bet a lot of other people are doing this too:

1. I get an email from y'all updating pre-commit.
2. It looks a lot like the ones I get from dependabot.
3. I reply to the email with an email that just says @dependabot merge
4. Nothing happens, but I don't notice for a while.

It just made me think...would it be crazy if pre-commit responded to dependabot commands? It's certainly a hack, but it's one that I would find useful, and I think it's one that most people wouldn't even realize was weird. They'd just reply to the PR with @dependabot merge, like I do, it'd work, and they wouldn't think twice.

You could of course, at the same time, make it reply to @pre-commit merge commands, but I know for me I'd probably keep accidentally addressing it as @dependabot about half the time. (Sorry, I know it's rude not to call something/somebody by name, but I'm less courteous to bots than people!).

Here are all the commands that dependabot offers. Literally the only one I use is merge:

- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Anyway, just a thought from a user's perspective, and probably a big feature request, but maybe it's on your mind in some form already. Thank you again for the great tool.

[asottile]

auto-merge and merge has been proposed a few times (#48 is one example) and I'm just not comfortable giving the bot those types of powers -- it puts a lot of liability (and complexity) on the service -- and would require an even more powerful set of permissions to handle. it's also ~fairly easy to set up github actions which reply to whatever custom commands you want and action on them without me needing to carry that complexity -- for example you could do something like this:

on:
  issue_comment:
    types: [created, edited]

jobs:
  merge:
    if: |
        (
            github.event.issue.pull_request &&
            contains(github.event.comment.body, '/do-merge')
        )
    runs-on: ubuntu-latest
    steps:
    # untested
    -  uses: actions/github-script@v6
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const repository = context.repo;
            await github.rest.pulls.merge({
              merge_method: "merge",
              owner: repository.owner,
              pull_number: ${{ github.event.issue.pull_request }},
              repo: repository.repo,
            })

[mlissner]

That's a fun trick, thanks. The security concerns make sense. FWIW, this proposal would only bring it in line with what dependabot allows, so maaaaybe the security isn't so bad, but I get your point.

I guess if you wanted to support something like this, there could be some sort of social score based on 50 people merging something, and then the rest could go automatic. Maybe as part of the paid offering or something? Each auto-merge costs 50¢, say? :)

It's just funny in the abstract to think that whenever there's an update to pre-commit or its dependencies, it's vetted by hundreds (?) or thousands (?) of people over and over? And to be honest, I don't vet the PR — I just mash the merge button in the UI, though I guess we've established that I'm lazy.

Tough problem though. I feel ya.

[asottile]

yeah to be clear:

• adding merge permission to the bot isn't hard
• it will annoyingly notify every user to re-auth pre-commit ci to accept the new permission
• new users will have yet another permission to accept which may scare off some users (especially companies since it'd be a powerful one)
• I'll ~essentially forever have to handle that sometimes users won't have the permission enabled
• I'd then need to write the actual integration
  • there's a lot of edge cases here: "is it a PR", "does the user have permission", "is the PR otherwise ready to merge", "branch protection", etc. etc. etc.

and not much of that sounds fun lol -- and some of it is scary -- and I'd probably do better to invest in gitlab support or squeezing ~2 more seconds out of each run or spending more polish on the UI or (the rest of my TODO list)

[mlissner]

Yeah, that's a lot of nastiness. It's good to hear the reasons, thanks again.