aarnott / pr-autocomplete-app Goto Github PK

A GitHub App that adds auto-complete functionality to pull requests similar to that found in Azure Repos.

License: MIT License

TypeScript 99.20% JavaScript 0.80%

pr-autocomplete-app's Introduction

Add auto-complete functionality to your GitHub pull requests

Installation

This auto-complete functionality can be installed to your entire GitHub account, a GitHub org, or a subset of repositories that you have push permission to.

Please read our privacy policy and our terms of use before getting started. We wrote them ourselves, so they are short and easy reading. :)

Install the Github App and designate which account(s) and/or repo(s) should get the functionality.

At installation, a few labels will be created in each repository so you can conveniently add them to your pull requests. These labels are described below. You may delete (and even later recreate) these labels as desired to suit the policies you follow regarding the completion of pull requests.

Usage

Pull requests may be auto-completed with a few merge methods. Each method has an associated label that you can use to schedule auto-completion with that method.

Label	Pull request completion method
`auto-merge`	merge
`auto-squash`	squash
`auto-rebase`	rebase

A pull request will be automatically completed when all these conditions are met:

Exactly one of these labels is applied to a pull request.
No merge conflicts exist.
All PR checks have passed.
No code reviews that have requested changes remain.
All branch protection policies (if any) are satisfied.

Head branch deletion

This GitHub app does not explicitly delete the source branch of the pull request after completing it. If deleting the source branch after pull request completion is something you want, you can configure GitHub to do this for all pull requests (regardless of whether they were auto-completed) in the repository Settings page.

Security considerations

After applying one of the auto-complete labels, if the pull request's source branch is updated by someone who lacks write permissions to the repo (e.g. a 3rd party sent the PR from a fork of your repo) the auto-complete label will be automatically removed. This protects your repo against unreviewed changes being merged into the repo between completion of a review and completion of the pull request. After the untrusted update and the label's removal, simply review the latest version of the PR and (if desired) reapply the auto-completion label.

pr-autocomplete-app's People

Contributors

Stargazers

Watchers

pr-autocomplete-app's Issues

Block auto-complete on condition that _all_ checks have passed

When an auto-completing label is applied to a new PR before GitHub has added the Checks to it, the labeled notification our webhook gets indicates that mergeable_state="clean", so we may immediately merge the PR rather than waiting for Checks to be added and then complete.

This PR auto-merge'd before checks were complete: #26

Add automated tests for scenarios that require mocking up Octokit

Linked issues are not closed when PRs auto-complete

Guard against race condition of PR being pushed to between notification and merge instruction

We should specify the sha parameter when merging the pull request so that the merge will not happen if the PR head branch was pushed to more recently than the notification we're responding to.

Make repo public

Prerequisites to making repo public:

Add and maintain a comment on the PR describing auto-complete status

Similar to Azure Repos, we can add a PR comment once an auto-complete label is applied to a PR indicating what conditions (if any) prevent merging immediately. We can edit that same comment as conditions change so the status is always current.

Do not create auto-* labels where repo policies forbid that merge method

For example, in a repo where squash is forbidden, do not create the auto-squash label when installing the app to the repo.

Secret management

Shift to obtaining secrets from Key Vault instead of app service configuration. This will allow devs to obtain secrets on their dev boxes from Key Vault as well.
Recycle existing secrets (the webhook secret and the private key).

Keep in mind that we probably should move to GitHub App manifests soon and as such, at app creation time we should be able to store the webhook secret and private key assigned us from GitHub.

Stabilize deployment

Set up staging slot
Create staging GitHub App that refers to staging slot
Get CI/CD set up

Set up alerts for service failures

We should be notified when the service becomes unresponsive or responds with non-200 errors.

HTTP 500 is returned when branch protections block merge

On a PR targeting a branch that requires 1 approval, where the PR has already reached mergeable_state="clean", adding the auto-merge label led to a 500 error because we tried to merge the PR and it threw an error:

RequestError [HttpError]: At least 1 approving review is required by reviewers with write access.
    at /home/site/wwwroot/node_modules/@octokit/request/dist-node/index.js:66:23
    at processTicksAndRejections (internal/process/task_queues.js:97:5) {
  status: 405,
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset',
    connection: 'close',
    'content-length': '165',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Mon, 10 Aug 2020 13:27:49 GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    status: '405 Method Not Allowed',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': 'C9C3:0A41:3DC8B63:692E58B:5F314B54',
    'x-ratelimit-limit': '15000',
    'x-ratelimit-remaining': '14998',
    'x-ratelimit-reset': '1597069668',
    'x-xss-protection': '1; mode=block'
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/microsoft/vs-streamjsonrpc/pulls/516/merge',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-rest.js/18.0.3 octokit-core.js/3.1.1 Node.js/12.18.0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: '{"merge_method":"merge"}',
    request: { hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/articles/about-protected-branches'
}

We should either detect that the merge would not be successful and avoid trying, or we should catch the error and still return 200 to the GitHub event that called us.

Add supported labels to repos that are installations

When the app is installed to a repo, it should automatically define the supported labels within the repo.

https://docs.github.com/en/developers/apps/using-the-github-api-in-your-app#step-3-create-a-new-label

Completing PR did not delete HEAD branch automatically

In this PR the head branch was not deleted when the PR was completed, even though the repo settings indicated it should be. Is this setting ignored when a bot completes a PR? If so, we should have our bot manually honor it by deleting the head branch.