nixpkgs-merge-bot icon indicating copy to clipboard operation
nixpkgs-merge-bot copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Merges cannot be attributed, encode invoker into the merge commit

Open Atemu opened this issue 1 year ago • 1 comments

Currently, a merge bot merge cannot be directly attributed to any real person. You could go into the PR and look for the last comment before the merge that invoked the bot but GH PR conversations can easily be disappear'd and users can turn into ghosts at any time. We've seen this happen many times before in Nixpkgs. When either of that occurs, it is no longer possible to trace a merge bot merge back to an actual human.

In the commit metadata, the author is set to the merge bot and committer is the generic GH user:

Author:     nixpkgs-merge-bot[bot] <148217876+nixpkgs-merge-bot[bot]@users.noreply.github.com>
AuthorDate: Tue Jun 18 05:23:59 2024 +0000
Commit:     GitHub <[email protected]>
CommitDate: Tue Jun 18 05:23:59 2024 +0000

The actual person who invoked the bot should be embedded in this commit ensure clear ownership and thereby responsibility. Since they effectively author the merge, I propose the Author: field to be set to the invoker's details. The Commit:er should then be set to the merge bot info as it performs the actual commit.

If it is not possible to set the Commit:er field to the bot or the Author: field to anything but the bot, the bot would have to remain as the Author: and the invoker should instead be added as Co-authored-by: (GH and other forges interpret this field and links the users' profiles on commits).
We could also invent a new Invoked-By: metadata field here as there is no real standard for this but that likely won't receive support by forges.

What needs investigation is how the invoker's details would be fetched. In case the GH API does not offer that (might very well be the case) we could always use the maintainers list for this though as it contains a GH user <-> email mapping.

Atemu avatar Jun 26 '24 07:06 Atemu

I believe github also provides some pseudo email addresses that could be used in that field.

Mic92 avatar Jun 26 '24 12:06 Mic92

These to links help to document the github api behaviour https://github.com/orgs/community/discussions/22658 https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors

i would argue to add a Co-authored-by: to the commit message to link the users. I will have to get the commenter mail address from somewhere as this is not implemented yet.

Scriptkiddi avatar Jan 03 '25 11:01 Scriptkiddi

#140

DominicWrege avatar Jan 03 '25 17:01 DominicWrege

fixed by #140

Scriptkiddi avatar Jan 04 '25 12:01 Scriptkiddi

For future reference: This had to be changed back again in #205, because the auto-merge / merge queue merge methods do not support changing the author :(

wolfgangwalther avatar Sep 17 '25 11:09 wolfgangwalther

The only way to attribute the merge to someone else with auto merge/merge queues would be to "act as" the user when triggering the API endpoint.

This would mean:

  1. We'd need to get OAuth tokens from anyone who wants to merge using the bot.
  2. The merge bot would act with the user's permissions too... So it wouldn't actually be able to merge anything!

MattSturgeon avatar Sep 17 '25 20:09 MattSturgeon