gitlab-merger-bot
gitlab-merger-bot copied to clipboard
pepakriz
Authorization / permissions
First of all THANK YOU for this project. I've just installed the Docker image and seeing my daily routine being automated is an instant relief :)
Despite my relief I fear mis-usage of the bot, as now every developer can assign a MR to the bot user and circumvent the protected branch settings.
It would be nice to have some kind of authorization / limitation who can command the bot.
Suggestions:
- The bot can check who assigned the MR to it and have a fixed list who is eligible to do so
- Reflect GitLab permissions:
- Query /projects/:id/members/all to get the user's permission in this project
- Query /projects/:id/repository/branches/:branch to check
developers_can_merge - accept MR if user could merge by himself, otherwise re-assign to user
Hi, glad to hear that you find this project useful.
Do you have an idea how to determine (without hooks) who made an assign? The only way I see is it should read changes (https://docs.gitlab.com/ee/api/merge_requests.html#get-single-mr-changes) or events (https://docs.gitlab.com/ee/api/events.html#list-currently-authenticated-users-events). Nothing that to be simple to implement.
It should be possible with /todos.
Eg. https://gitlab.example.org/api/v4/todos?type=MergeRequest&action=assigned&state=pending yields all ToDos for the current user (the bot) where the bot was assigned a MR by someone else.
The response looks like this:
[
{
"id": 6007,
"project": {
"id": 461,
"description": "Sample project",
"name": "Sample project",
"name_with_namespace": "sample / project",
"path": "sample-project",
"path_with_namespace": "sample/project",
"created_at": "2018-11-09T15:09:57.253+01:00"
},
"author": {
"id": 1,
"name": "Assigning User",
"username": "assigning-user",
"state": "active",
"avatar_url": "https://gitlab.example.org/uploads/-/system/user/avatar/1/assigning-user.jpg",
"web_url": "https://gitlab.example.org/assigning-user"
},
"action_name": "assigned",
"target_type": "MergeRequest",
"target": {
"id": 4148,
"iid": 679,
"project_id": 461,
"title": "plz merge me",
"description": "",
"state": "opened",
"created_at": "2021-09-02T23:41:17.132+02:00",
"updated_at": "2021-09-02T23:41:17.132+02:00",
"merged_by": null,
"merged_at": null,
"closed_by": null,
"closed_at": null,
"target_branch": "master",
"source_branch": "fix/plz-merge",
"user_notes_count": 0,
"upvotes": 0,
"downvotes": 0,
"author": {
"id": 1,
"name": "Authoring user",
"username": "authoring-user",
"state": "active",
"avatar_url": "https://gitlab.example.org/uploads/-/system/user/avatar/1/authoring-user.jpg",
"web_url": "https://gitlab.example.org/authoring-usr"
},
"assignees": [
{
"id": 1,
"name": "Assigned User eg. bot",
"username": "assigned-user",
"state": "active",
"avatar_url": "https://gitlab.example.org/uploads/-/system/user/avatar/1/assigned-user.jpg",
"web_url": "https://gitlab.example.org/assigned-user"
}
],
"assignee": {
"id": 1,
"name": "Assigned User eg. bot",
"username": "assigned-user",
"state": "active",
"avatar_url": "https://gitlab.example.org/uploads/-/system/user/avatar/1/assigned-user.jpg",
"web_url": "https://gitlab.example.org/assigned-user"
},
"reviewers": [],
"source_project_id": 461,
"target_project_id": 461,
"labels": [],
"draft": false,
"work_in_progress": false,
"milestone": null,
"merge_when_pipeline_succeeds": false,
"merge_status": "can_be_merged",
"sha": "bb414a9907033f76fc9357721d080444a05d9c26",
"merge_commit_sha": null,
"squash_commit_sha": null,
"discussion_locked": null,
"should_remove_source_branch": null,
"force_remove_source_branch": true,
"reference": "!679",
"references": {
"short": "!679",
"relative": "!679",
"full": "sample/project!679"
},
"web_url": "https://gitlab.example.org/sample/project/-/merge_requests/679",
"time_stats": {
"time_estimate": 0,
"total_time_spent": 0,
"human_time_estimate": null,
"human_total_time_spent": null
},
"squash": false,
"task_completion_status": {
"count": 0,
"completed_count": 0
},
"has_conflicts": false,
"blocking_discussions_resolved": true,
"changes_count": "1",
"diff_refs": {
"base_sha": "d94f419fc496589197e48306fd776574c4b6bcaa",
"head_sha": "bb414a9907033f76fc9357721d080444a05d9c26",
"start_sha": "d94f419fc496589197e48306fd776574c4b6bcaa"
},
"merge_error": null,
"user": {
"can_merge": false
}
},
"target_url": "https://gitlab.example.org/sample/project/-/merge_requests/679",
"body": "fix: plz merge",
"state": "pending",
"created_at": "2021-09-02T23:41:19.040+02:00",
"updated_at": "2021-09-02T23:41:19.040+02:00"
},
{...}
]
Good idea! I'll look at it later, but it looks promising. User permission should be cached, so atomicity will not be achieved. But I hope It'll be OK for most situations.
I'm working on it here: https://github.com/pepakriz/gitlab-merger-bot/pull/186 It introduces a new config flag because it changes the way how new assigned merge requests are discovered. I'll be testing this flag for a while.