Bot to pull changes from upstream #558
Conversation
|
I didn't expect to run into this many hurdles just setting up a simple github PR bot... @Bidon15 have you encountered any of this before? am I missing something simple? |
|
Hey @evan-forbes, I haven't encountered to such behaviours, yet. It's really weird though. |
I finally figured it out last night, it was just a permissions issue. The bot needs permission to edit workflows, along with reading and writing to the repo. Otherwise, if there are commits that change the |
idk, that's a good question. I'll look into it. I guess that's where we'd have to review them before we merge the PR. |
The issue is that if workflows run during the PR, then upstream can maliciously modify a workflow to e.g. exfiltrate CI keys. So either we make sure there are none of those (maybe not possible?), or stop CI from running on PRs the bot makes. |
|
That sounds terrible. Perhaps we should just have a bot open an issue to remind us, and then we can run a script and handle all conflicts by hand (something we'll have to do anyway)? If it's only once a week, I don't think that would be too much work. |
|
I'm not sure which way's the best to handle this. Any opinions @liamsi? |
|
after thinking about it a bit more, I think we should just auto open an issue to make sure we don't forget, and then manually merge. Most of the time, there will be at least one conflict, which will force us to pull the branch and fix the them by hand anyway. still curious to hear what others think. In the mean time, I'll switch this to a draft. |
If our point of concern is CI keys(secrets) being exposed by such malicious behaviour, then I propose we have a look 👁️ on Hashicorp's Vault TL;DR for Vault - dynamic secrets and we can audit and revoke if we see malicious behaviour or the key has been leaked in some way or another 🗝️ 🧐 They have even released a GH Action for Vault. 😮 wdyt? |
|
I'll close this for now, unless we decide otherwise. With each update, there was almost always a conflict that had to be handled manually, so there's no real point in having a bot imho |
* crypto/merkle: Add error handling (#558) * porting pr * Disallow nil root hashes * linting * making computeRootHash private * Update release notes. * Update .changelog/unreleased/breaking-changes/558-tm10011.md Co-authored-by: Thane Thomson <connect@thanethomson.com> * Wrapping the private function into a public one with the old signature. * update comment * remove dependency on amino * Update .changelog/unreleased/breaking-changes/558-tm10011.md Co-authored-by: Thane Thomson <connect@thanethomson.com> --------- Co-authored-by: Thane Thomson <connect@thanethomson.com> (cherry picked from commit d067b740ec543718ba36865375acdfbb7d1116cd) # Conflicts: # crypto/merkle/proof.go # crypto/merkle/proof_test.go * fix conflicts --------- Co-authored-by: Lasaro <lasaro@informal.systems>
Description
This PR introduced a workflow that pulls changes from upstream and the v0.34.x release branch twice a week.
This PR is blocked by having a github repository secret that is named PULL_UPSTREAM that has permissions for repo read and write, along with access to workflows.
we can see a working version on this fork
Closes: #528
Note: sometimes it fails when there are too many conflicts, but we have to handle conflicts by hand anyway.