Registrator.jl icon indicating copy to clipboard operation
Registrator.jl copied to clipboard

Published 20 hours ago verified publisher icon JuliaRegistries

authentication

Open StefanKarpinski opened this issue 6 years ago • 6 comments

How do we know which PRs we should run through the whole registration CI process? We don't want to allow arbitrary people to make a PR and automatically kick off CI since it's fairly easy to see how that allows people to run arbitrary code on our registration CI machines (bitcoin mining, anyone?). If the person opening the PR is a committer, that's fine, we can just kick off right away. If the person opening the PR is not a committer, however, we should probably require an approval of the PR from someone who is a committer to the repo. There is a GitHub interface for PR approvals, so we should probably use that on GitHub at least. On other platforms, we should use whatever comparable approval API there is or at the very minimum, just look for a comment of the form "approve" from someone with commit bit.

Thoughts?

StefanKarpinski avatar Jan 22 '19 15:01 StefanKarpinski

The approval review may not be ideal because a committer cannot approve their own PR. So if a package has only one developer it will not work. Also if a package is to be newly registered, then the workflow will be different.

What I'm thinking is we can have a comment listener to do the registration. For unregistered packages, the maintainer will have to open an issue with the trigger comment. We will check whether the comment is made by a collaborator.

nkottary avatar Feb 06 '19 11:02 nkottary

I think the best thing, if possible, would be that no approval is required if the author is a committer on the package. Approval should only be required if the PR author is not a committer. Does that make sense?

StefanKarpinski avatar Feb 07 '19 00:02 StefanKarpinski

Yes, that makes sense. I'm going to stick to the comment listener for now since its a simple trigger that works for all cases. We can add the other triggers PR/approval etc once I have a first cut of this working.

nkottary avatar Feb 07 '19 09:02 nkottary

Sounds good to me.

StefanKarpinski avatar Feb 07 '19 14:02 StefanKarpinski

What kind of comment are you considering to be a trigger? Does it need a particular format? Or any comment? The latter seems like it would be a bit dangerous and lead to accidental "approval".

StefanKarpinski avatar Feb 07 '19 19:02 StefanKarpinski

On a PR you can say register(). If you say the same in an issue it will register the current master unless you say register(branch), then it will register the branch.

nkottary avatar Feb 08 '19 04:02 nkottary