laurentsimon

Sounds like a good idea. Do you have documentation links about GitHub bot accounts, how to create them, etc?

just to clarify: the only permission is to be able to create issues, correct? And there's no dangerous permissions needed to do that, any PAT can do it. Is that...

everything *but* merging code requires no dangerous permissions w.r.t the scorecard repo itself. I think what I was trying to gauge is how sensitive this bot account it. My understanding...

auto merging requires adding a review automatically. (added this comment to the auto-merge PR https://github.com/ossf/scorecard/pull/1749). You cannot automatically push to a protected branch, so either BP must be disabled or...

> Batching is ideal, but approval is paramount. Any PR that merges should be subject to same review/checks, both from maintainers and presubmits. > For dependency updates, the human element...

@[rarkins](https://github.com/rarkins) any plans to support batched pull requests in renovatebot? I found https://github.com/renovatebot/renovate/issues/4404#issuecomment-858554871 IIUC, this would allow us to batch PRs on a schedule? Are there limitations to this config?...

I think an answered question is whether we want to allow dependabot updates to be automatically merge-in or not. For example it's sometimes possible to bypass reviews by injecting code...

I'm running at HEAD. This seems to be a problem on most repos I'm testing. Here's another one github.com/Dart-Code/dart-code, reporting a single commit.

30 commits overall is fine, and that's what we've been doing. I think I got thrown off by the message. It should say `X out of Y commits are checked...

Tough one. Can the "squashed" status be queried?