Re: Can we get rid of "Approve & Run" on GitHub PRs by new contributors (non-committers)?

Mon, 16 Oct 2023 07:37:00 -0700 

Hi,
this seems to be a safety feature and is also enabled in general for Github. I found no options in asf.yaml to enable/disable it: 

https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-GitHubsettings


You can only add some users to a whitelist of "collaborators" through 
asf.yaml. Nevertheless, I see no problem for pressing the button. When I 
quickly review a PR, I generally press the button. For safety reasons 
this is required in most projects I was contributing, too (not only 
ASF). What's the problem in pressing the button? Of course you take 
responsibility when the crypto miner starts, but if there is a huuuuuge 
PR by an external contributor, I would first ask if they could split it 
into smaller pieces. At some point we have to review it, and most 
external people creating huge PRs did bad stuff like pressing the format 
button in their IDE.



I think running "./gradlew precommit" is a must for new contributors. 
The online checks on Github are more for me as reviewer/committer, to 
make sure all is fine before I press the merge button (for many PRs I 
don't even checkout the code after review). So it is fine to not trigger 
it by end-users.


-1 to ask INFRA to enable this.

Uwe

Am 16.10.2023 um 15:57 schrieb Michael McCandless:

When a non-committer (I think?) opens a PR, one of the committers must 
notice it and click Approve & Run so the contributor can find out if 
something broke in our automated tests/precommit/linting.



This seems like a waste, and a friction in the worst possible place 
for our community: new contributor onboarding experience.



I think we have it to prevent e.g. a crypto mining bot of a PR 
sneaking in and taking tons of resources to mine dogecoin or so?



But 1) that doesn't seem to be happening so far, 2) when I hit 
"Approve & Run" I never look closely to see if there is in fact a 
hidden crypto miner in there, and 3) can't we just put some 
reasonable timeout on the GitHub actions to block such abuse?



Is this some sort of requirement by GitHub, or did we choose to turn 
on this silly step?


Mike McCandless

http://blog.mikemccandless.com


--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail:u...@thetaphi.de






















					Reply via email to