feat(platform/github): flag to control whether PRs can be edited by maintainers if forkTokenis set
#19771
Conversation
devversion
force-pushed
the
maintainer-modify
branch
from
6f03122 to
b477ca6
Compare
This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option. Whenever a PR is created, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion
changed the title
|
Thanks for the feedback. I've addressed it by introducing a new option. I will keep this a draft to iterate more on if this is what you expect. Would appreciate some early feedback. Thanks! One note: I wasn't sure if this option should be "Github"-specific and reside in |
There was a problem hiding this comment.
- This is only relevant to forkingRenovate. Right now it's configurable for both and the docs don't make it clear enough. Let's try to avoid confusing the 99% of users not affected by this
- Can this be made global config instead (i.e. controlled by the bot admin, not the repo admin)?
This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option. Whenever a PR is created, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion
force-pushed
the
maintainer-modify
branch
from
b477ca6 to
134c62f
Compare
devversion
requested review from
HonkingGoose,
rarkins and
viceice
and removed request for
HonkingGoose,
rarkins and
viceice
|
I've addressed all feedback (and appreciate anybody having another look. Thanks for all the comments) Github seems to just send it to one of the reviewers |
This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option. Whenever a PR is created, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion
force-pushed
the
maintainer-modify
branch
from
134c62f to
3b753d3
Compare
…oken` is set This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option when `forkToken` is set and Renovate operates in a fork. Whenever a PR is created with `forkToken` being set, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion
force-pushed
the
maintainer-modify
branch
from
3b753d3 to
1e6a4ae
Compare
…rkToken`is set Platforms like GitHub expose options to control whether a PR can be modified by maintainers. See e.g. https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork This commit introduces a way to control this in Renovate when Renovate operates in a fork. The option will default to `true` for backwards compatibility. Users may use this option to workaround issues as outlined in: renovatebot#16657.
…oken` is set This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option when `forkToken` is set and Renovate operates in a fork. Whenever a PR is created with `forkToken` being set, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion
force-pushed
the
maintainer-modify
branch
from
1e6a4ae to
d97e5b8
Compare
|
I've incorporated all the docs suggestions and switched back to a repo config setting. A global option would simplify this a bit, but would make it impossible to use this option when e.g. the forking renovate GitHub app is used. Sorry. I've also force-pushed to clean-up the commits which made it more difficult to review- a full review is easier in this situation anyway (and very likely needed anyway) |
|
I'm good restricting the option name also to |
|
FYI: I will wait with any docs changes until we have settled on runtime code, naming, or if this should be a global only flag etc. |
devversion
requested review from
HonkingGoose
and removed request for
rarkins
viceice
changed the title
forkTokenis setforkTokenis set
|
Yeah, if the maintainers think they prefer
|
|
i think disallow is the right thing 🤷♂️ |
Good point, let's stick with |
|
🎉 This PR is included in version 34.151.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Changes
A new option called
forkModeAllowMaintainerEditsis introduced. This option is only relevant if Renovate is used withforkToken.true, keeping backwards compatibiltygithub.The option decides whether maintainer edits are allowed to edit pull requests.
Context
If a maintainer pushes changes to a fork renovate PR, the branch will never be deleted by Renovate because there are changes not corresponding to the Git account configured in Renovate.
This prevents future updates as Renovate basically locks down the branch and marks it as
pr-edited, preventing it from being overridden or cleaned-up as part of the scheduled branch deletion.We can fix this by encouraging that maintainers cherry-pick the commit and make changes in a separate PR. Users of the experimental fork mode option can do this by setting
prAllowMaintainerEdits = false. It is not possible for maintainers to trivially delete the branch of the e.g. fork robot account because they would need to log into that and not every team member would e.g. necessarily have access to the robot account.Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: