Closed mlissner closed 2 years ago
auto-merge and merge has been proposed a few times (#48 is one example) and I'm just not comfortable giving the bot those types of powers -- it puts a lot of liability (and complexity) on the service -- and would require an even more powerful set of permissions to handle. it's also ~fairly easy to set up github actions which reply to whatever custom commands you want and action on them without me needing to carry that complexity -- for example you could do something like this:
on:
issue_comment:
types: [created, edited]
jobs:
merge:
if: |
(
github.event.issue.pull_request &&
contains(github.event.comment.body, '/do-merge')
)
runs-on: ubuntu-latest
steps:
# untested
- uses: actions/github-script@v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const repository = context.repo;
await github.rest.pulls.merge({
merge_method: "merge",
owner: repository.owner,
pull_number: ${{ github.event.issue.pull_request }},
repo: repository.repo,
})
That's a fun trick, thanks. The security concerns make sense. FWIW, this proposal would only bring it in line with what dependabot allows, so maaaaybe the security isn't so bad, but I get your point.
I guess if you wanted to support something like this, there could be some sort of social score based on 50 people merging something, and then the rest could go automatic. Maybe as part of the paid offering or something? Each auto-merge costs 50¢, say? :)
It's just funny in the abstract to think that whenever there's an update to pre-commit or its dependencies, it's vetted by hundreds (?) or thousands (?) of people over and over? And to be honest, I don't vet the PR — I just mash the merge button in the UI, though I guess we've established that I'm lazy.
Tough problem though. I feel ya.
yeah to be clear:
and not much of that sounds fun lol -- and some of it is scary -- and I'd probably do better to invest in gitlab support or squeezing ~2 more seconds out of each run or spending more polish on the UI or (the rest of my TODO list)
Yeah, that's a lot of nastiness. It's good to hear the reasons, thanks again.
First, thanks for the great tool and for making it available for open source repos. I run a small non-profit that does a lot of coding projects, and it makes a huge difference for us to have this running. I appreciate it a ton.
I thought I'd chime in with a funky interaction I often have with the bot, in case it's helpful. I might be weird, but I bet a lot of other people are doing this too:
@dependabot merge
It just made me think...would it be crazy if pre-commit responded to dependabot commands? It's certainly a hack, but it's one that I would find useful, and I think it's one that most people wouldn't even realize was weird. They'd just reply to the PR with
@dependabot merge
, like I do, it'd work, and they wouldn't think twice.You could of course, at the same time, make it reply to
@pre-commit merge
commands, but I know for me I'd probably keep accidentally addressing it as @dependabot about half the time. (Sorry, I know it's rude not to call something/somebody by name, but I'm less courteous to bots than people!).Here are all the commands that dependabot offers. Literally the only one I use is
merge
:Anyway, just a thought from a user's perspective, and probably a big feature request, but maybe it's on your mind in some form already. Thank you again for the great tool.