You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Automerge checks are run only for PRs opened by a limited list of authorised bots. There are some users who host their code on services different from github.com and gitlab.com for whom using JuliaRegistrator or the JuliaHub services isn't an option, however this means that
they need to manually open PRs to this repository (presumably they're using LocalRegistry.jl which at least makes this process simpler)
when they open the PR to General, Automerge doesn't run. While this is reasonable because Automerge is meant to be run only for PRs proposing new versions or new packages, arbitrary PRs shouldn't trigger automerge checks, this makes life for the registry maintainers harder
I think we should be able to have a mechanism (comment-based? adding a label?) to let the repo maintainers trigger Automerge checks for PRs that they evaluate are safe candidates for Automerge checks. One challenge is that the result of the automerge check should be invalidated if the PR is later modified (e.g. by pushing a new commit), to prevent malicious action.
The text was updated successfully, but these errors were encountered:
Safety isn't that hard for Automerge to assess itself. It could e.g. require that some key information is given in the PR body, then call RegistryTools itself to see if it gets the same file changes as in the PR.
Another question is whether the PR author should be allowed to make registrations for the package. That could e.g. be solved by having a file in the package repo listing approved users.
Currently Automerge checks are run only for PRs opened by a limited list of authorised bots. There are some users who host their code on services different from github.com and gitlab.com for whom using JuliaRegistrator or the JuliaHub services isn't an option, however this means that
LocalRegistry.jl
which at least makes this process simpler)I think we should be able to have a mechanism (comment-based? adding a label?) to let the repo maintainers trigger Automerge checks for PRs that they evaluate are safe candidates for Automerge checks. One challenge is that the result of the automerge check should be invalidated if the PR is later modified (e.g. by pushing a new commit), to prevent malicious action.
The text was updated successfully, but these errors were encountered: