Auto-merge is stuck about fetch-metadata HOT 12 CLOSED

As a side note, I re-discovered dependabot/feedback#86, and am talking to the folks who own branch protection rules about how we can get Dependabot added.

from fetch-metadata.

Odd, it seems like something is wonky with the PR automerge feature. I can reach out to that team and see if they have any thoughts!

from fetch-metadata.

Is there something I can do about this? When I try to add Dependabot to the list of apps allowed to push to master, it doesn't show up.

This just came up in the context of codeowners, so I'll see if I can work with that team to see what we can do about allowing Dependabot to push to restricted branches

Separately the PRs merged by Dependabot are not being closed nginxinc/nginx-asg-sync#108 is this the expected behavior?

Unfortunately this is a known issue with the UI displaying the right state :(

I've been chatting with the team on how to prioritize getting that fixed.

from fetch-metadata.

At this point it looks like the problem is more of "we should show an error rather than hang forever", as I think adding Dependabot as a trusted actor is going to be a bit more work.

from fetch-metadata.

dependabot/dependabot-core#2480

from fetch-metadata.

👋🏻 @lucacome I'm going to close this out as we are tracking this in core since it is a problem with the service vs protected branches.

Unfortunately I don't have anything to share on this right now.

from fetch-metadata.

Thank you so much @asciimike . Yes, that would be great any additional insight you can get I'd appreciate.

from fetch-metadata.

@asciimike it seems like Dependabot can't merge to a protected branch, I tried removing the protection and it started merging the PRs. Is there something I can do about this? When I try to add Dependabot to the list of apps allowed to push to master, it doesn't show up.

Separately the PRs merged by Dependabot are not being closed nginxinc/nginx-asg-sync#108 is this the expected behavior?

from fetch-metadata.

For what it's worth I reached out to GitHub Support about this issue about a month ago. Here's what they said:

The default authentication tokens used by GitHub Actions belongs to user github-actions[bot]. It seems that you've enabled the "Restrict who can push to matching branches" rule. The default GitHub Actions actor does not have the permission to push (merge or commit) to the protected branch.

You may need to make a few changes in your Actions workflow file. First, you will need to create a personal access token (PAT) for user with either admin permissions or a user with write access who's been granted push permission to the protected branch of the repository (Step 12 in this help doc article):

https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token

You can change this default value by setting the environmental variable GITHUB_TOKEN to the access token that you created in the previous step.

You'll need to create a repository secret giving it a name e.g "GITHUB_TOKEN" with the actual token as its value. See here how to create secrets and use them in a GitHub Actions workflow file:

https://docs.github.com/en/actions/reference/encrypted-secrets

Though I would have rather granted github-actions[bot] write access to our repo, they said that was not possible. I followed their advice instead and it's been working for us, though I'd love a simpler solution.

from fetch-metadata.

Though I would have rather granted github-actions[bot] write access to our repo, they said that was not possible.

Agreed, the PAT solution is pretty ugly :(

from fetch-metadata.

@asciimike any updates on this?

from fetch-metadata.

Thanks for the update @brrygrdn !

from fetch-metadata.