Auto merge: do not consider skipped checks as failed #1823
Comments
|
Yeah it's really annoying to merge to manually merge PR one by one, the automatic merge was a time saver. |
|
This has made merging in a lot of dependabot PRs super painful for us |
|
Just so both end up linked. I believe this is the same behavior described in |
|
We're currently working on a github native version of dependabot, which is in beta, and we have decided to drop automerging support there entirely. The reasoning is that we feel there's some security risk associated with automatically merging pull requests without having a human review them, and if you do want this behavior there are GitHub Actions out there that will let you implement automerging rules for more than just Dependabot PR's. |
|
When there are skipped checks the |
@jurre do you feel it's Github's place to be deciding this or would it perhaps be more appropriate for each user to decide what's best for themselves? |
@jurre Even if you consider auto-merge to be a security risk, |
You're right, we have an issue to track this here: dependabot/feedback#948. It's on our radar, but it might be a while before we can get to it. |
|
@jurre is there something I can do to help get this sorted? Just need to be pointed in the right direction and I can submit a PR. Any idea where the offending code is? Any immediate thoughts on how to tackle this? |
|
I appreciate the offer to help @janhartigan, unfortunately the code that powers this feature is not part of |
Thanks for letting your users and customers who relied on this know so everyone can decide whether to move elsewhere.
In this issue like in many others, GitHub Actions is the problem not the solution - definitely not something to rely on in its current state. |
|
Hi 👋! Alex from the Dependabot team here. Thanks @AbhyudayaSharma @janhartigan @tuukka @mbrevda @killgt @tsimbalar @mforman1 for your feedback on the removal of auto-merge in GitHub-native Dependabot. We understand the frustration. Whether to support auto-merge was the subject of many debates internally, and I’d like to provide some context for why we made the decision. You may be familiar with the event-stream attack in late 2018, where an attacker took over a popular library (event-stream) and added a new dependency. That dependency had obfuscated malicious code that attempted to steal bitcoin from users with a certain bitcoin wallet installed. That code went undetected for 2.5 months. Before it was removed by npm, the malicious package was downloaded nearly 8 million times. Pre-acquisition Dependabot averaged about 34 thousand repositories that merged a PR in any given month. By comparison, GitHub saw 44 million+ repositories created in 2019. With Dependabot natively available on GitHub, if even a small fraction of those repositories were to enable Dependabot and auto-merge, we could easily become an unwitting and rapid spreader of supply chain attacks like event-stream. We are investigating longer-term solutions that would allow us to bring back auto-merge, like the abilities to add more trust into ecosystems like npm, highlight unexpected new dependencies like the malicious dependency added to event-stream, and provide stronger traceability between a package’s sources, its build, and the package registry. But until we can provide sufficient validation of the security and authenticity of vulnerable dependencies, we don’t anticipate bringing back an auto-merge feature to GitHub-native Dependabot. Separately from auto-merge, others in this thread have raised valid bugs about As always, I appreciate your input for Dependabot. Please let me know if you have other questions or feedback. |
|
@infin8x thank you for taking the time to write that, super helpful to understand the core issue. So if I'm reading this correctly, the primary concern is in having dependabot merges happen purely automatically. I'm a bit confused why that would be an issue with |
|
@janhartigan thanks! A few issues got conflated together in this thread - sorry about that. On the |
|
@infin8x thanks for that. As you mentioned, during the event-stream incident the malicious code went undetected for 2.5 months. How many users actually audit a package before using it or review a diff every time they merge an update? Even if PRs are being merged manually, chances are user would still merge a malicious update in the "next event-stream" and hence not allowing automerge is merely a hindrance to an otherwise elegant workflow. Finally, I don't believe my original question was answered: who appointed GitHub the knower of what's best? Why not let the user decide on the level of safety/security they want for their own repo?? Will you next decide which versions are WordPress are safe for use? Or which programing languages? GitHubs job is to provide a set of tools for it's users, not to dictate how and when those tools may or may not be used. |
|
Hi @mbrevda, Thanks for your response. I hear your frustration. All of us on the Dependabot team work to build features with GitHub’s massive worldwide community in mind. We know from past experience that the options we provide and the defaults we choose can have a large impact on that community. It’s a hard balance - obviously applying updates helps keep you secure, and we want to make that easy - but there's also the drawback of making it possible to easily propagate malicious content. At this point, we’re erring on the side of caution. Again, we are investigating longer-term solutions that would allow us to bring back auto-merge, once we can provide sufficient validation of the security and authenticity of vulnerable dependencies. |
|
@infin8x thanks, again, for taking the time to respond. I can appreciate that being a product manager for the world's largest code sharing platform is a huge responsibility. In all likelihood, being in your position, I'd similarly look to find myself "on the side of caution". The implications of totally removing the auto-merge option seem to be way more far-reaching than just suggesting "the defaults" as the defaults were never to auto-merge. As these recent changes went as far as totally disabling the bots ability to merge (even when specifically requested by a human!), "the defaults" are no longer a choice but an imposition on the community at large. Additionally, as "the options [you] provide" still enable auto-merging as @jurre pointed out (albeit via slightly more steps) the ultimate results are simply more complexion and indirection - not "caution"! And this doesn't even include the Dependabot competitors that are available as Github apps - all which allow for auto merging. Finally, it would seem that the root issue here really is the easy accessibility to "propagate malicious content" via npm (which Github recently acquired) and that remains unaddressed. In conclusion: it's easy to see why Github feels the need to apply safe and sane defaults and I'm glad there are bright and experienced minds looking out for the community. However, this precedent of enforcing a specific agenda is a slippery slope and troubling at best. Out of respect to OP and the legitimate issue at hand, I'd like to "yield my time" and continue this conversation in a more appropriate forum if you can suggest one. |
|
@infin8x from an end-user perspective, I concur with @mbrevda, this move feels like we're being coerced to follow corporate security guidelines without agreeing on them or even having a saying in the matter. On the other hand, I totally understand your perspective that security should be paramount. So I support the decision of phasing auto merges out, with the hopes that you will roll the feature out again in the future in a secure manner. |
|
For those that still want auto-merge while this is getting sorted dependabot side there's always mergify, which is free for open source repos. |
|
Pushed a fix for merging/automerging when there are skipped check runs. Rolling out fix for both versions of Dependabot. |
|
Awesome thanks. Interesting side affect - Now we have around 200 PR merging, one after another which causes all other open PRs to rebase, which ate up all of our GitHub actions minutes. |
|
Should Dependabot rebase, CI and merge one PR at a time? |
Ouch! Yeah, we'd like to improve or make the rebase-strategy configurable. We've got some plans for this but will be a while before we can get to it. |
|
I wish the alternatives to auto-merge were just more annoying routes to the same destination. Unfortunately only dependabot is able to determine the package and type of update. I want to merge things like Dependabot also had additional security controls in that it would never auto-merge something with a new maintainer. So doing this with another bot would actually be a step back and make it more likely that the type of attack that @infin8x laid out in #1823 (comment) would succeed. I hate to pile on here, but I have to agree with @mbrevda. Removing auto-merge doesn't add any security (as manual review is not in any way guaranteed by requiring a human to click the merge button), it may decrease security (where github could intervene in a merge when specific criteria were met), and it makes keeping dependencies up to date much more difficult (an OWASP top ten vulnerability). |
|
@feelepxyz I noticed this was fixed in dependabot recently, which is great! (dependabot/feedback#948) Is there any plan to add this to Github itself, i.e. the branch protection rules where certain checks can be required before merge is allowed? |
|
Still fails on my github action |
|
Adding my +1 to the choir - I'm disappointed by this decision.
I have comprehensive testing in place that can do a far better job than I ever could of reviewing the change. I can look at the number changing from one digit to another in Meanwhile my automated tests can prove that the site generates correctly, my React components are behaving as expected, and even notice the tiniest unexpected visual change using browser automation with visual regression tests. If I were to review a dependency update all I'd do is run the tests, which has already been done by a pipeline. There is no benefit to human oversight here. Trying to look at it from GitHub's perspective, I can see valid reasoning for this change- to reduce the blast radius of malicious changes to dependencies. If a major library gets taken over by a malicious actor you don't want it to near-instantaneously update across thousands, perhaps even tens of thousands of repositories. But there are other ways we could achieve this- perhaps if you enable automerge your automatic PRs are delayed by a certain amount, to give the community some time to catch any malicious changes. It could even be a random amount, some repositories getting updated faster than others. That way a small number test the change while the rest wait to see if there are any problems. I wouldn't mind my dependabot PRs being a few days late if I can automerge them. |
Yes! And in the future this could evolve into a distributed review process, where the merge delay is skipped if several major projects have explicitly ok'd the change. This could be a huge improvement to the process of distributing critical security fixes: as soon as a few major projects have applied the upgrade, all the small projects and people on vacation would get the fix merged automatically. |
Package manage/ecosystem
javascript
Manifest contents prior to update
package.json and package-lock.json
Updated dependency
What you expected to see, versus what you actually saw
It looks like GitHub Actions recently starting publishing skipped build checks on PR builds. Ever since, Dependabot is not auto merging any pull requests. Also interesting to note here is that when some other checks fail, the skipped check is also listed as failed. See this comment for example. Commenting
@dependabot mergealso has no effect as in this pull request: AbhyudayaSharma/abhyudayasharma.github.io#111Dependabot configuration:
Images of the diff or a link to the PR, issue or logs
Status as reported by GitHub:
The text was updated successfully, but these errors were encountered: