Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto-merge is stuck #52

Closed
lucacome opened this issue Jul 6, 2021 · 12 comments
Closed

Auto-merge is stuck #52

lucacome opened this issue Jul 6, 2021 · 12 comments
Labels
bug Something isn't working

Comments

@lucacome
Copy link

lucacome commented Jul 6, 2021

I'm using this action to enable auto-merge for Dependabot. Everything seemed to work fine, but the PR is not being merged. I'm not sure how to debug this and probably it doesn't have anything to do with the action but I don't know where else to report it 😬

image

It's been attempting to auto-merge for more than 24 hours now.

This is the PR nginxinc/nginx-asg-sync#108
and this the action https://github.com/nginxinc/nginx-asg-sync/blob/master/.github/workflows/dependabot-auto-merge.yml

Does anybody know how to fix this?

Thanks.
@lucacome lucacome added the bug Something isn't working label Jul 6, 2021
@lucacome lucacome mentioned this issue Jul 8, 2021
Closed
@asciimike
Copy link
Contributor

Odd, it seems like something is wonky with the PR automerge feature. I can reach out to that team and see if they have any thoughts!

@lucacome
Copy link
Author

Thank you so much @asciimike . Yes, that would be great any additional insight you can get I'd appreciate.

@lucacome
Copy link
Author

lucacome commented Jul 14, 2021
edited
Loading

@asciimike it seems like Dependabot can't merge to a protected branch, I tried removing the protection and it started merging the PRs. Is there something I can do about this? When I try to add Dependabot to the list of apps allowed to push to master, it doesn't show up.

Separately the PRs merged by Dependabot are not being closed nginxinc/nginx-asg-sync#108 is this the expected behavior?

@asciimike
Copy link
Contributor

Is there something I can do about this? When I try to add Dependabot to the list of apps allowed to push to master, it doesn't show up.

This just came up in the context of codeowners, so I'll see if I can work with that team to see what we can do about allowing Dependabot to push to restricted branches

Separately the PRs merged by Dependabot are not being closed nginxinc/nginx-asg-sync#108 is this the expected behavior?

Unfortunately this is a known issue with the UI displaying the right state :(

I've been chatting with the team on how to prioritize getting that fixed.

@JacobEvelyn
Copy link

For what it's worth I reached out to GitHub Support about this issue about a month ago. Here's what they said:

The default authentication tokens used by GitHub Actions belongs to user github-actions[bot]. It seems that you've enabled the "Restrict who can push to matching branches" rule. The default GitHub Actions actor does not have the permission to push (merge or commit) to the protected branch.

You may need to make a few changes in your Actions workflow file. First, you will need to create a personal access token (PAT) for user with either admin permissions or a user with write access who's been granted push permission to the protected branch of the repository (Step 12 in this help doc article):

https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token

You can change this default value by setting the environmental variable GITHUB_TOKEN to the access token that you created in the previous step.

You'll need to create a repository secret giving it a name e.g "GITHUB_TOKEN" with the actual token as its value. See here how to create secrets and use them in a GitHub Actions workflow file:

https://docs.github.com/en/actions/reference/encrypted-secrets

Though I would have rather granted github-actions[bot] write access to our repo, they said that was not possible. I followed their advice instead and it's been working for us, though I'd love a simpler solution.

@asciimike
Copy link
Contributor

Though I would have rather granted github-actions[bot] write access to our repo, they said that was not possible.

Agreed, the PAT solution is pretty ugly :(

@asciimike
Copy link
Contributor

As a side note, I re-discovered dependabot/feedback#86, and am talking to the folks who own branch protection rules about how we can get Dependabot added.

@lucacome
Copy link
Author

lucacome commented Aug 9, 2021

@asciimike any updates on this?

@asciimike
Copy link
Contributor

At this point it looks like the problem is more of "we should show an error rather than hang forever", as I think adding Dependabot as a trusted actor is going to be a bit more work.

@lucacome
Copy link
Author

dependabot/dependabot-core#2480

@brrygrdn
Copy link
Contributor

👋🏻 @lucacome I'm going to close this out as we are tracking this in core since it is a problem with the service vs protected branches.

Unfortunately I don't have anything to share on this right now.

@lucacome
Copy link
Author

Thanks for the update @brrygrdn !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lucacome @brrygrdn @JacobEvelyn @asciimike