Automerge for protected master branches

[sidharthachatterjee]

Which Renovate are you using? CLI, App, or Pro

App

Which platform are you using? GitHub, GitLab, Bitbucket Azure DevOps

GitHub

Have you checked the logs? Don't forget to include them if relevant

Not relevant

What is your question?

The documentation at https://renovatebot.com/docs/configuration-options/#automerge mentions

Warning: GitHub currently has a bug where automerge won't work if a GitHub Organization has protected their master branch, and there is no way to configure around this. Hence, automerging will try and fail in such situations. This doc will be updated once that bug/limitation is fixed by GitHub.

Do we have an update or ETA on this? Protecting the master branch is fairly standard and this seems like a major limitation. 😞 I understand that it's a GitHub issue and probably not in your control.

[rarkins]

I need to update those docs to be more specific. Here's the fuller details:

• Protected branches in general are OK and recommended, as you said
• If you specify that PRs must be approved before merging, then the same rule applies to Renovate (enforced by GitHub). There is a companion app Renovate Approve you can install to work around this, otherwise Renovate will wait until a human approves and then automerge on the next time it tries
• If you specify that only certain users or teams can merge to master, then this completely blocks any bot on GitHub from merging. This is a GitHub limitation and one we've been waiting 18 months for them to fix, so pretty much given up on them. They don't provide any way for you to add a "bot" to that permission list.

[rarkins]

@sidharthachatterjee what type of branch protection do you have enabled?

[sidharthachatterjee]

@rarkins This is on https://github.com/gatsbyjs/gatsby/

[rarkins]

@sidharthachatterjee re your rules:

• pull request reviews: this would mean no branch automerging, but would be compatible with the "renovate approve" bot addon
• pull request reviews by code owners: this would mean you can't do automerge before a human (i.e. code owner) approves.
• status checks: this is normal and no problem. we wouldn't automerge without passing status checks anyway
• restrict who can push: this totally nukes any bot from being able to merge, even if all the above weren't a problem. GitHub haven't enhanced their backend and UI enough to let you nominate a bot with push privileges, and they've known about this limitation for a long time so don't seem interested in fixing it. I understand it's a technical objection not a philosophical one, i.e. "it's hard", not "it's a bad idea".

Unfortunately this means no automerge!

As background, the bot runs and gains its privileges as "renovate[bot]", which is a pseudo user. We also use "renovate-bot" which is a real user to perform signed commits, because bots signing commits is yet another github bot shortcoming.

Out of curiosity, if we added the option for you to add @renovate-bot as someone allowed to push to master, would you use it? i.e. would the convenience advantage of letting the bot automerge be worth the "security risk" of adding a third party collaborator to the project?

[sidharthachatterjee]

Thank you for your detailed review of our rules, @rarkins. We really appreciate this.

Out of curiosity, if we added the option for you to add @renovate-bot as someone allowed to push to master, would you use it? i.e. would the convenience advantage of letting the bot automerge be worth the "security risk" of adding a third party collaborator to the project?

We'd probably lean towards not adding a third party collaborator to merge. At least not to core. This would make sense to our lower risk packages like our official starters (which we're exclusively setting up Renovate on to test waters with) but it's impossible to set granular user privileges for merge on a monorepo so this wouldn't work either.

[rarkins]

@sidharthachatterjee I understand your position. I hold the same opinion and that's why I haven't prioritised adding that capability yet, although ultimately it's whatever the end users want that drive things. I'll close this issue as I think we've reached the end of this topic, feel free to open more. Thanks for checking out Renovate for Gatsby!

[sidharthachatterjee]

We now have Renovate running on Gatsby for official starters! Thank you for all your help, @rarkins

[rarkins]

That’s awesome! You’re welcome