Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub branch protection: Automerge cannot work when allowed users or teams who can push to master has been enabled #846

Closed
rarkins opened this issue Sep 28, 2017 · 29 comments
Labels
platform:github GitHub Platform priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others

Comments

@rarkins
Copy link
Collaborator

rarkins commented Sep 28, 2017

Organizations that have added branch protections are unable to utilise Renovate's automerge feature, because GitHub is (incorrectly) blocking the renovate app account from pushing to master, including via Pull Request. The GitHub UI does not provide a way for org admins to add apps/bots as "users" with permissions, meanwhile GitHub's API ignores that the app has already been granted full "write" permissions.

Waiting for an update from GitHub here: https://platform.github.community/t/repositories-which-have-protected-branches-with-push-restrictions-have-no-ability-to-grant-push-rights-to-integrations/1376/11

@rarkins rarkins added blocked type:bug Bug fix of existing functionality priority-2-high Bugs impacting wide number of users or very important features labels Sep 28, 2017
@tunnckoCore
Copy link

yep, I was thinking about that. current workaround, for example if some is using pullapprove, to add the bot as allowed contributor.

@rarkins
Copy link
Collaborator Author

rarkins commented Oct 6, 2017

yeah, the work around would be to stop using GitHub's direct controls on who can commit and instead use a third party status check like that. Hopefully they fix soon though!

@rarkins
Copy link
Collaborator Author

rarkins commented Dec 11, 2017

I updated Renovate's detection of GitHub branch protections yesterday, it now accurate determines if any of these settings are enabled and blocking automerge:

  • Branch protection: PR Reviews are required before merging
  • Branch protection: Pushing to branch is restricted

The second one is what the topic of this issue is about. This is where an organization has configured allowed users or teams who can push to master. Because the Renovate App is not a "real" user, GitHub don't currently provide a way to add it to the allowed users list, or to any team.

The ultimate solution is for GitHub to update the UI and backend so allow you to specify Apps in that field and not just users and teams. But they've known about this for nearly a year and still not fixed it, which is not a good sign.

I am considering an option for the app which would allow organisations to add the "real" GitHub user @renovate-bot with master push rights in case you want to have (a) branch push protections, and (b) Renovate still able to do its job. That way the app would use its app permissions for everything else like it does today, but fall back to using @renovate-bot's permissions whenever it needs to merge.

@rarkins rarkins added priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others priority-2-high Bugs impacting wide number of users or very important features and removed type:bug Bug fix of existing functionality priority-2-high Bugs impacting wide number of users or very important features priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others labels Dec 11, 2017
@rarkins rarkins changed the title Automerge not working for organizations with branch protection Automerge not working for GitHub organizations with branch protection (Pushing to branch is restricted) Dec 19, 2017
@rarkins rarkins added priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others and removed priority-2-high Bugs impacting wide number of users or very important features labels Apr 26, 2018
@stevenzeck
Copy link

stevenzeck commented Jul 10, 2018

Is this an issue where the branch is simply a "protected branch"? Or that and when reviews are required and/or "Restrict who can push to this branch" is checked?

@rarkins
Copy link
Collaborator Author

rarkins commented Jul 10, 2018

There are a few ways you can protect a branch and each has a different effect. When you limit who can merge to master then that’s a showstopper for Renovate and any other app because GitHub provide no way for you to add a “bot” to that list. The rest (eg required status checks, review approvals, etc) are not showstoppers but may hold up automerge until they pass.

@stevenzeck
Copy link

So if "Require status checks to pass before merging" is the only one checked, once all statuses pass it should automerge? Are there logs that show why auto merge may not be working?

@rarkins
Copy link
Collaborator Author

rarkins commented Jul 10, 2018 via email

@stevenzeck
Copy link

Thanks @rarkins!

@jfairley
Copy link
Contributor

To confirm, we use renovate with private repos with protected branches. Specifically, our branches require reviews and all status checks to pass. As @rarkins stated, automerge only happens after these checks pass and on the next renovate check-in, but it does work. I'll approve PRs during the day, and they'll merge themselves during the night. 👍

@k2snowman69
Copy link
Contributor

k2snowman69 commented Oct 7, 2018

I am considering an option for the app which would allow organisations to add the "real" GitHub user @renovate-bot with master push rights

Just curious if this work happened or not so that renovate-bot, if provided write access to a branch, would actually write to it. If so, I'm assuming the procedure in get this enabled if so would be either

  1. Go into any single repo
  2. Go into the branch protection settings and enable Restrict who can push to matching branches
  3. Go into Collaborators & teams and add @renovate-bot as an Admin (would write level permission work here as well)?

Or if in a organization setup

  1. Go to the organization
  2. Add @renovate-bot with admin access

@rarkins
Copy link
Collaborator Author

rarkins commented Oct 8, 2018

@k2snowman69 I have not added this logic yet because I was really hoping GitHub would fix this feature to allow bots to also merge.

FYI, @renovate[bot] is a pseudo-account that the app normally runs as. @renovate-bot is a "real" user account that I registered separately.

@rarkins rarkins changed the title Automerge not working for GitHub organizations with branch protection (Pushing to branch is restricted) GitHub branch protection: Automerge cannot work for when allowed users or teams who can push to master has been enabled Oct 8, 2018
@rarkins rarkins changed the title GitHub branch protection: Automerge cannot work for when allowed users or teams who can push to master has been enabled GitHub branch protection: Automerge cannot work when allowed users or teams who can push to master has been enabled Oct 8, 2018
@runk
Copy link

runk commented Oct 24, 2018

Hey @rarkins, have you heard more from Github re treating bots like normal users, so we can resolve that issue with automerge and protected banches?

.. thinking if there's any third-party solution around that would pull repos + prs, and automerge based on some rules. If not, I might have to craft one while GH is fixing the thing.

@rarkins
Copy link
Collaborator Author

rarkins commented Oct 25, 2018

@runk unfortunately not. For some reason they seem to have put it in the “too hard” basket and with no communication updates (the latter is typical of GitHub though, they tend not to forecast product updates big or small).

I think the only solutions are:

  • some self-hosted bot for merging using a real user account
  • enhance Renovate to accept an encrypted user token (like we do with npm tokens) that is used only for the automerge step

Renovate already has compatibility with https://github.com/bors-ng/bors-ng if you’re interested in the first option. In that case Renovate would add a special merge comment/command instead of actually automerging. The bors bot - running as a real user - would then do the actual merging to master.

@piotr-s-brainhub

This comment has been minimized.

@rarkins

This comment has been minimized.

@felixfbecker
Copy link

Could Renovate approve the PR through the API? We recently enabled this and I immediately felt the pain that automerge doesn't work anymore :/

@felixfbecker
Copy link

@tunnckoCore do you know a free alternative to pullapprove?

@rarkins
Copy link
Collaborator Author

rarkins commented May 2, 2019

@felixfbecker on GitHub, neither a user nor app can approves its own PRs to get around the limitation, but I do also run Renovate Approve and it might do what you want?

@rarkins
Copy link
Collaborator Author

rarkins commented May 2, 2019

FYI it will only approve PRs that are created by Renovate and which have automerge enabled.

@felixfbecker
Copy link

awesome, exactly what I need.

@tunnckoCore
Copy link

Sweeeet, that new bot sounds fantastic.

@feelepxyz
Copy link

👋 If you have push restrictions enabled on your protected branch you can now allow installed apps to push from the branch protection settings page:

Screenshot 2019-09-06 at 12 57 23

https://developer.github.com/changes/2019-09-05-apps-protected-branches-api/

@rarkins
Copy link
Collaborator Author

rarkins commented Sep 6, 2019

@feelepxyz that's great news - extra nice of you to even take a custom screenshot 😆

After ~2 years, this issue can now be closed!

@rarkins rarkins closed this as completed Sep 6, 2019
@feelepxyz
Copy link

@rarkins yeah it's been a long time coming! 🙌😁

@robertying
Copy link

I include Renovate app in the settings shown above but still the automerge could not work.

I enabled required reviews (which renovate-approve already handles pretty good) and required status check (it passed). So I don't really know where it could go wrong.

@feelepxyz can yours work after this configuration? Could you please share your other branch settings to help me identify the issue? Thanks!

@feelepxyz
Copy link

@robertying ah it's probably going to be that the merge is attempted before the approval happens which will block the merge even if the app is added to the list of allowed users (setting both push restrictions and required reviewers will cause this issue).

Not sure if it's possible but I think there needs to be a second merge attempt from the renovate-approve bot.

@robertying
Copy link

@feelepxyz I checked the logs from renovate dashboard and there was an attempt after the pull request approval.

I guess I'll have to open another issue to better address my problem. Thanks for responding!

@feelepxyz
Copy link

@robertying do you see the error from the GitHub API in the logs? Also, try disabling Require status checks to pass before merging and see if that works. Would be helpful to narrow down where it's failing.

@tunnckoCore
Copy link

Hmmm. Why I don't see that option in the settings of a repository? 🤔

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
platform:github GitHub Platform priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others
Projects
None yet
Development

No branches or pull requests

10 participants