open-telemetry
REQUEST: Repository maintenance on opentelemetry-rust
Affected Repository
https://github.com/open-telemetry/opentelemetry-rust https://github.com/open-telemetry/opentelemetry-rust-contrib
Requested changes
Install autofix.ci GH App
https://autofix.ci/setup
Purpose
We would like to test out the autofix capabilities of the app to remove the additional work for contributors, when forgetting to format/lint their changes.
Expected Duration
4 weeks
Repository Maintainers
- @open-telemetry/rust-maintainers
oh, this looks really interesting
there are potentially lots of automations that could benefit from this which we haven't been able to implement due to the security issues around pull_request_target
cc @open-telemetry/docs-maintainers
Interestingly the docs folks are implementing something similar manually, see pros/cons here: https://github.com/open-telemetry/opentelemetry.io/pull/6894/files#r2091256900
I was (finally) able to get something like this working without relying on an external github app:
It's definitely not as simple as using autofix.ci, but it doesn't require giving content write permission to a (relatively small) third party app.
Let me know if you'd like to go this route and I can set up an opentelemetry org github app for your repo similar to https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/ec060ad52f9e0de9169108c27337fc2b4717b5f4/.github/workflows/auto-update-pull-request.yml#L40-L41
annoyingly, CodeQL flags this approach (auto-update-pull-request.yml) as a "Dangerous Workflow"
I'm pretty sure it's very careful to not be dangerous, but I also don't love marking the CodeQL warning as a false positive, so definitely a downside to this approach
@trask - is the zipped patch in the workflow guaranteed to be safe? Is there a better/safer way to push updates to a pull request on a branch?
I'm thinking that adjusting the workflow to use octo & changing how patching operates might be more safe.
