-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC 0156] No Direct Nixpkgs Pushes #156
Conversation
028c2c4
to
25ce9d6
Compare
[^1]: Unix epoch 1658361600 to 1689897600 | ||
|
||
To determine whether a commit was pushed directly, the GitHub API was queried for pull requests associated with that commit (see [`associatedPullRequests`](https://docs.github.com/en/graphql/reference/objects#commit)). | ||
If this list includes a merged pull request to the Nixpkgs master branch, the commit is known to be merged with a pull request. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add a remark here that GitHub does allow merging PRs via a direct push of a clean-merge commit. (I cannot figure out from the documentation if it allows pushing an unclean merge, which would be an issue if we took «malicious code» part seriously)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will test this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if there are any merge conflicts, then the merge commit may contain arbitrary changes in order to fix that commit. Not sure if this is prevented on PRs with merge conflicts or if this could be prevented.
- It had a mistaken estimate for the percentage of direct master commits, calculating it to be 46.85% in the last year. | ||
The mistake was assuming that all non-merge commits were direct pushes. | ||
This made it seem like the change was much more impactful than it actually would've been. | ||
- It was too ambitious by also proposing to require accepting reviews for all pull requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think another important point is that in the years since #79 the discussions lead to various workflows to migrate gradually away from direct pushes. The old RFC proposed a step change unaligned with then-current practice (also it wanted reviews but whatever), the new RFC proposes to finalise a process transition that has had time to be almost completely implemented in practice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It takes a bit of time, but I can also check how many commits were directly pushed to master back then, I wouldn't be surprised if it was already very low.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was pretty low for sure, but noticeably higher — and the updates to staging
workflows in the meantime probably matter.
Ah, maybe I can put it like that: back then, there were some true positives in the direct push tracking action — comparable amounts to false positives, nowadays this doesn't seem to happen at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Back then, the majority of changes already went through a PR at some point on their way to the main branch. For the exceptions, there were a few years of advertising specific changes to the specific workflows while talking up the virtues of ofBorg eval check until everyone either agrees or is nagged into compliance; apparently after all the workflow work the strong arguments for direct pushes to the channel-feeding branches are resolved.
This is the difference between «now» and «the current RFC transplanted back in time with the data re-processed according to the moment of submission». «RFC 79, try again» would hopefully fail again, because of the other demands it also had.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got the results, out of a total 50457 master commits in the last year at RFC 79 start time 1, at most 2682 of them (5.315%) were direct pushes to master, complete listing here (not counting the 153 obvious false positives from @web-flow, see #156 (comment)).
So while it was still about 10 times less than the original estimate in the RFC (46.85%), it was 100 times more than now (0.0517%)! I will update the RFC with this information.
Footnotes
-
Unix epoch 1569369600 to 1600992000 ↩
To determine whether a commit was pushed directly, the GitHub API was queried for pull requests associated with that commit (see [`associatedPullRequests`](https://docs.github.com/en/graphql/reference/objects#commit)). | ||
If this list includes a merged pull request to the Nixpkgs master branch, the commit is known to be merged with a pull request. | ||
Otherwise the commit could be directly pushed or be a false positives, which is why the above count is only an upper bound. | ||
All obvious false positives ([example](https://github.com/NixOS/nixpkgs/commit/b09d18903c24b8aca88100df86aa2fdd5f05dfcd)) have been removed from this count and listing already. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, have you kept count how many obvious false positives you had to remove? To estimate how many non-obvious false positives we probably have remaining…
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There were 79 obvious false positive, which after another look are all from seemingly buggy merges using GitHub's web interface. Here's a complete listing:
Complete listing of false positives
- 5cd9b4264517 @web-flow - Merge pull request #220739 from spacefrogg/factor-fix
- 8c619a1f3ced @web-flow - Merge pull request #215956 from K900/kf5-5.103.0
- ae9b433138cf @web-flow - Merge pull request #215786 from wegank/qbittorrent-nox-darwin
- 7a0a5c995005 @web-flow - Merge pull request #215759 from melvyn2/patch-4
- c98696fbfc2f @web-flow - Merge pull request #215744 from alyssais/kguiaddons-homepage
- 272017b7536d @web-flow - Merge pull request #215743 from alyssais/extra-cmake-modules-homepage
- 4ba33a758f25 @web-flow - Merge pull request #215489 from Alper-Celik/master
- 1e76265b3b56 @web-flow - Merge pull request #215177 from Emantor/bump/xwayland
- 27cde435fe6a @web-flow - Merge pull request #214857 from dotlambda/kbibtex-0.9.3.1
- 42b3a6354fde @web-flow - Merge pull request #206559 from doronbehar/pkg/musescore
- b594c9af3621 @web-flow - Merge pull request #214552 from r-ryantm/auto-update/kstars
- ffbc5e161a5a @web-flow - Merge pull request #214220 from K900/kde-rounded-corners-0.3.0
- c2947b5459c3 @web-flow - Merge pull request #214169 from K900/kde-gear-22.12.2
- e14a364a736b @web-flow - Merge pull request #214005 from r-ryantm/auto-update/umockdev
- 3da3678c1719 @web-flow - Merge pull request #213413 from K900/plasma-wayland-protocols-1.10.0
- 0e4512f10180 @web-flow - Merge pull request #213099 from r-ryantm/auto-update/haruna
- 30e84e2f8175 @web-flow - Merge pull request #206930 from brcha/davinci_resolve_fix_qt_plugins
- c5b2c8390c15 @web-flow - Merge pull request #212802 from Zimmi48/update-copilot
- 437b1938bcd1 @web-flow - Merge pull request #212611 from r-ryantm/auto-update/goda
- 4be063c1732e @web-flow - Merge pull request #212481 from qowoz/fzf
- 542ef388022f @web-flow - Merge pull request #211602 from Jayman2000/ecwolf-1.4.0
- 15eb39e56f67 @web-flow - Merge pull request #209224 from wegank/qbittorrent-darwin
- 7d81cb9db363 @web-flow - Merge pull request #210542 from michaelBelsanti/catppuccin-kde
- 78a377ed2880 @web-flow - Merge pull request #210290 from NickCao/qt642
- d7021b0c4d62 @web-flow - Merge pull request #210709 from K900/kf5-5.102.0
- 5c2347a3e961 @web-flow - Merge pull request #210581 from r-ryantm/auto-update/kid3
- c96b17f7675e @web-flow - Merge pull request #209439 from K900/kde-gear-22.12.1
- 505955711ae9 @web-flow - Merge pull request #209433 from K900/plasma-5.26.5
- 03287dc59d23 @web-flow - Merge pull request #209019 from jojosch/haruna-update
- 81271652095d @web-flow - minio: add legacy fs version 2022-10-24T18-35-07Z (#206376)
- b09d18903c24 @web-flow - Merge pull request #205921 from ulrikstrid/ulrikstrid--kde-frameworks_5-101
- 5b856c23929b @web-flow - Merge pull request #205625 from r-ryantm/auto-update/syncthingtray
- 4da241459471 @web-flow - Merge pull request #203368 from maralorn/nom
- f6a53df3df6d @web-flow - Merge pull request #201808 from yaxitech/pulumi-3.47.0
- 3c0f6f555b7e @web-flow - Merge pull request #201459 from tjni/od
- 5cb03b3f5a1b @web-flow - Merge pull request #201460 from trofi/libagar-without-xlibsWrapper
- fc8a4f729105 @web-flow - Merge pull request #201521 from hmenke/alps
- 9727e904e901 @web-flow - Merge pull request #201469 from hmenke/git-branchless
- 3b0b1be8784f @web-flow - Merge pull request #201679 from r-ryantm/auto-update/brev-cli
- efa60e11cf4f @web-flow - Merge pull request #201535 from r-ryantm/auto-update/picom
- 639550cc2ee6 @web-flow - matcha-gtk-theme: 2022-06-07 -> 2022-11-15 (#201410)
- 3e1a3aa9392f @web-flow - Merge pull request #201376 from whentze/master
- bc5ad9707805 @web-flow - Merge pull request #200097 from efx/fluent-bit-support-postgresql-out
- 43a2c2f1a0cc @web-flow - Merge pull request #200155 from r-ryantm/auto-update/python310Packages.mastodon-py
- 25528d7ae1d5 @web-flow - Merge pull request #199990 from prusnak/electron
- 5f24d55ae4f2 @web-flow - Merge pull request #199700 from fabaff/plugwise-bump
- 9e7feda53c23 @web-flow - Merge pull request #199153 from r-ryantm/auto-update/babashka
- 96d7f290878d @web-flow - Merge pull request #176553 from MalteT/fix/smartctl-exporter-override
- 220943e6d6cd @web-flow - Merge pull request #197427 from r-ryantm/auto-update/libtorrent-rasterbar-2_0_x
- 0d1d1f9ac121 @web-flow - Merge pull request #197426 from r-ryantm/auto-update/libtorrent-rasterbar
- 46e67960e03e @web-flow - Merge pull request #197279 from fabaff/metasploit-bump
- 0d37b5bf11ca @web-flow - Merge pull request #196554 from r-ryantm/auto-update/autorestic
- 3bcc8e1ac7ec @web-flow - Merge pull request #196408 from mweinelt/thunderbird
- 3367189eb6f6 @web-flow - Merge pull request #196461 from r-ryantm/auto-update/lefthook
- 499e75fe3194 @web-flow - Merge pull request #189406 from r-ryantm/auto-update/qbittorrent
- 5f41d9525a9e @web-flow - Merge pull request #195044 from r-ryantm/auto-update/python310Packages.msal
- 898dd0e87266 @web-flow - Merge pull request #194225 from figsoda/artem
- 9269709bec17 @web-flow - Merge pull request #193330 from r-ryantm/auto-update/python310Packages.types-urllib3
- 1e8213d556ea @web-flow - Merge pull request #191306 from r-ryantm/auto-update/flyway
- e221ed41ec4a @web-flow - Merge pull request #190680 from anthonyroussel/fix-flask-wtf
- 7d9aaa68da8e @web-flow - Merge pull request #190053 from anthonyroussel/fix-mitmproxy
- aaadf6612a3d @web-flow - Merge pull request #189116 from stigtsp/fix/perl-io-async-ssl-upgrade-error-staging-next
- 9cdfb3d950b5 @web-flow - Merge pull request #188804 from gador/flask-login-0.6.2
- 56daf120b113 @web-flow - Merge pull request #187121 from alyssais/colord-musl
- 9fdef95e3ef4 @web-flow - Merge pull request #187531 from tjni/fix-bitstring
- 26c03f3bf15f @web-flow - Merge pull request #187590 from trofi/libgccjit-lib-stripping-fix
- 07b19b321028 @web-flow - Merge pull request #187200 from LibreCybernetics/babl-fix
- 318695815990 @web-flow - Merge pull request #186580 from tjni/orjson-tzdata
- ff72265385eb @web-flow - Merge pull request #186842 from Lassulus/django-archivebox-hash
- 775bb14b9147 @web-flow - Merge pull request #186555 from tjni/fix-loguru
- b9106e11154e @web-flow - Merge pull request #186212 from stigtsp/perl-5.36.0-fallout-staging-next
- 58547ae85a10 @web-flow - Merge pull request #184902 from trofi/fix-openldap-markdown
- 7be3a05eb8f1 @web-flow - Merge pull request #182834 from mayflower/security-fixes
- bbe75628ca71 @web-flow - Merge pull request #182692 from mweinelt/uvicorn
- 35875ee05506 @web-flow - Merge pull request #182727 from trofi/raptor2-dynamic-by-default
- 66f6d190543e @web-flow - Merge pull request #182687 from YorikSar/upower-bump
- f4d202194fb3 @web-flow - Merge pull request #182668 from YorikSar/umockdev-bump
- f315837ee425 @web-flow - Merge pull request #182377 from trofi/fix-sbcl-on-aarch64-darwin
- 84bdacd8cb21 @web-flow - Merge pull request #182399 from SuperSandro2000/eventlet
Though I don't think this needs to be part of the RFC because it doesn't change any arguments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, if you just add 79 to show that clear false positives are more numerours than «maybe, who knows», it does strengthen the argument about rarity of true directy pushes and their removal changing nothing at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm I don't think it matters though, it's all just caused by imperfect ways to get at the right data (my script and GitHub bugs in this case). These false positives have no influence on any arguments and in fact only distract from the main point. In fact I should just "fix" my script to not count any commits from @web-flow at all, then I don't need to mention this at all because there aren't any false positives anymore.
Note that these false positives in my script are completely unrelated to the false positives in the automatic notifications in NixOS/nixpkgs#118661, which do have an impact because they annoy people.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The false positives are relevant for two reasons.
- We know that what this RFC seeks to forbid is rare, but we don't even know if it ever happens at all nowadays.
- We do not have a real option to allow but closely watch and check after the fact if the case was exceptional, because no amount of waiting before asking GitHub will give you good data. «Allow-but-monitor» could be listed as an a priori plausible alternative by the way (with these false positives explaining why it doesn't work).
ETA: also comparison of web-flow and non-web-flow «positives» now and a few years ago tells us that most of the 5% back then were true positives unless GitHub has dramatically changed the bug occurence ratio between cases without fixing the (better defined) webflow case.
|
||
## Staging workflow | ||
|
||
The staging workflow is not affected because it [already uses pull requests](https://github.com/NixOS/nixpkgs/pull/241951) for all merges into the affected branches. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not entirely true. Yes, the manual merge into staging-next is done with PR. However, there is also a workflow that automatically merges between master, staging and staging-next. And, as merge conflicts are a thing, these are often resolved with direct pushes.
Regarding the workflow for automatic merges. Can that still be kept? I am thinking here about a potential next step, commit signing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is conflict resolution using direct pushes to staging/staging-next, or also to master?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is conflict resolution using direct pushes to staging/staging-next, or also to master?
Right, I see now that staging*
is excluded. Generally speaking staging-next
to master
can be resolved by merging master
into staging-next
first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the manual merge into staging-next is done with PR.
I'm pretty sure the initial merge from staging into staging-next is done manually. We only use a PR from staging-next into master.
Is conflict resolution using direct pushes to staging/staging-next, or also to master?
Yes, merge conflict resolution is usually done with direct pushes to staging-next.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only use a PR from staging-next into master.
Right, I meant that one!
|
||
## Staging workflow | ||
|
||
The staging workflow is not affected because it [already uses pull requests](https://github.com/NixOS/nixpkgs/pull/241951) for all merges into the affected branches. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The staging workflow is not affected because it [already uses pull requests](https://github.com/NixOS/nixpkgs/pull/241951) for all merges into the affected branches. | |
The staging workflow is not affected because it [already uses pull requests](https://github.com/NixOS/nixpkgs/pull/241951) for all merges into the affected branches, and the staging branches themselves are not protected. |
Or any other wording to help resolve the ambiguity at first read.
- `release-*`: Used for stable channels | ||
|
||
Staging branches are intentionally not included, because they will already require a pull request when they inevitably need to get merged into one of the above branches. | ||
The same applies to similar long-term branches like `haskell-packages`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same applies to similar long-term branches like `haskell-packages`. | |
The same applies to similar long-term branches like `haskell-updates`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...as we slouch deeper into the abyss of Github addiction...
rfcs/0156-no-direct-pushes.md
Outdated
This makes such commits susceptible to: | ||
- Be anonymous | ||
- Include malicious code | ||
- Be broken | ||
- Have poor code quality |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of these would also be addressed by "Require signed commits || Require a pull request before merging".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As long as we use CI tied to PRs that depends on master evaluating with only specific deviations from cleanly, «be broken» does get easier to handle without direct pushes…
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure signed commits doesn't make it harder to push malicious, broken or poor-quality code, why would it? The only thing it gets you is that commits can't be anonymous anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure signed commits doesn't make it harder to push malicious, broken or poor-quality code
It depends, for who. An attacker needs to have access not just to your token or ssh key for pushing, but also the signing key. If I am correct it's also not possible anymore to make changes via the API as it's lacking the signing key. Of course, our contributors can always still push something broken themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, yeah I didn't consider such an attack scenario here. I'll definitely add this appropriately into the Alternatives and Future Work sections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the contrary. The crux of the issue is increasing our level of dependence on git-hub-specific features.
This can and does apply to any "forge" or any process for development.
It's not "must be github produced pull requests", but "tangible item that allows tracking the origin". If Nixpkgs had a mailing-lists development process, it would be "any change must be sent as a patch set / pull request", and thus provide the same tangible "item".
The principle behind the change does not entrenches into any specific tooling, it makes a pretty much already universal development process mandatory.
Neither does opening a PR and merging it.
This leaves a common tangible "item" to discuss about the bad contribution. Thus, the overall already near-universal development process is defined.
@infinisil do tell if you think I've misunderstood something here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah you're on point @samueldr. And while I do like the thought of switching off GitHub and signing commits, this is not the place to discuss it (I'll add it to Alternatives/Future Work though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The crux of the issue is increasing our level of dependence on git-hub-specific features.
I'd also add to this that while GitHub has a UI for this, this is not GitHub specific. If it's later decided to host our own copy of the canonical Nix repository somewhere, you could still get the same feature this RFC asks for with a remote commit hook.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not "must be github produced pull requests", but "tangible item that allows tracking the origin".
The RFC does not say "tangible item that allows tracking the origin".
It says:
# Detailed design
Turn on GitHub's "Require a pull request before merging"
this is not GitHub specific
The text above specifically references git-hub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text above specifically references git-hub.
Aw come on, this is needlessly pedantic quibbling. Yes this is a GitHub feature, and therefore the RFC text mentions (and should mention) GitHub. No this is not a GitHub specific feature, as most other git forges offer a 1:1 equivalent.
I think the RFC implementation should also include a change to ofborg making it do something useful if the master branch does not evaluate cleanly. A remaining use case for pushing to master is when fixing evaluation failures that slipped in where opening a PR literally gains you nothing but clicking around uselessly since ofborg will fail regardless of your change. (This will of course not eliminate the annoyances of the PR workflow which is greatly exaggerated by the long CI wait time for trivial changes or trivial amends. That is definitely orthogonal to this RFC, though, and could be addressed by faster CI (if only!) or a merge queue.) |
## Emergency changes | ||
|
||
Sometimes channels have blocking breakages and need to be fixed as soon as possible (citation needed). | ||
Currently this can be done with direct pushes, but a pull request will be required with this proposal. | ||
The time required to fix such breakages however is barely affected: Since there is currently no requirement for pull requests to be approved or pass CI, they can get merged immediately after opening if necessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sternenseemann See this section. Pull requests don't need to pass CI before they can be merged. So if you would have committed directly before, you now just need to open a PR and merge it immediately, no need to wait for CI. (That's of course not a great workflow, but that's kind of the point of this RFC, making these things more discoverable)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but my point still stands. If we are to force this workflow, it should also have benefits for the change author thelmselves—i.e. working CI. Everything else is just frustrating.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current proposal only affects about 0.05% of commits, has effectively zero downsides, and can be implemented in 1 minute, making me fairly confident that we can get this accepted quickly.
While better CI would be nice, it would expand the scope to also affect the other 99.95% of commits, involve more tradeoffs and take much longer to design and implement. I'd rather split this into a separate RFC for the future. Let's take small improvements where we can.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you say, this change affects very little and doesn't change anything about the fact that we need to trust commiters. If they are fixing a typo in the manual, a PR gives them the benefit of confirmation that they did not accidentally wreck the manual build—all we are doing is forcing them to appreciate this benefit. This is not the case in the case of an eval failure on master.
If we are to make PRs mandatory in every case, we should also make PR CI useful in every case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah we probably should, but this doesn't have to creep into the scope of this RFC. PR's are useful whether CI passes or not. If you have a concrete plan on how to improve CI, feel free to open a separate RFC, it's entirely orthogonal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, PR CI is useful for you, PR discoverability is useful for everyone else—hopefully our commiters are Kantians and not frustrated by this…
What about the pull requests in distress? We have almost literally decades of opened pull requests. |
This RFC is now open for nominations! |
Nominating myself. I do have ideas that go way beyond the current proposal and which will hopefully yield another RFC eventually, but I'll take any easy wins for now :) |
[alternatives]: #alternatives | ||
|
||
- It would be possible to implement a third-party interface to de-anonymize future commits (even if pushed directly to master) using the [push event GitHub webhook](https://docs.github.com/en/webhooks-and-events/webhooks/webhook-events-and-payloads#push), which includes the `sender` field to match the pushing GitHub user. | ||
- This would not solve the other problems with direct pushes though: It still wouldn't notify others, trigger CI or be discoverable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Notifications seem feasible to add if such a thing is implemented; however, I expect GitHub to lose some events on their side just as they lose PR metadata for web flow false positives (which is why the count is relevant there)
To determine whether a commit was pushed directly, the GitHub API was queried for pull requests associated with that commit (see [`associatedPullRequests`](https://docs.github.com/en/graphql/reference/objects#commit)). | ||
If this list includes a merged pull request to the Nixpkgs master branch, the commit is known to be merged with a pull request. | ||
Otherwise the commit could be directly pushed or be a false positives, which is why the above count is only an upper bound. | ||
All obvious false positives ([example](https://github.com/NixOS/nixpkgs/commit/b09d18903c24b8aca88100df86aa2fdd5f05dfcd)) have been removed from this count and listing already. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All obvious false positives ([example](https://github.com/NixOS/nixpkgs/commit/b09d18903c24b8aca88100df86aa2fdd5f05dfcd)) have been removed from this count and listing already. | |
All 79 obvious false positives ([example](https://github.com/NixOS/nixpkgs/commit/b09d18903c24b8aca88100df86aa2fdd5f05dfcd)) have been removed from this count and listing already. |
# Detailed design | ||
[design]: #detailed-design | ||
|
||
Turn on GitHub's "Require a pull request before merging" [branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule) for all branches whose commits get propagated into channels. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turn on GitHub's "Require a pull request before merging" [branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule) for all branches whose commits get propagated into channels. | |
Require the changes from committers to go through the same technical process as external contributions for all branches whose commits get propagated into channels. | |
In our current situation, turn on GitHub's "Require a pull request before merging" [branch protection rule](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule). |
(I think this improves the situation from the point of view of separating we is the generic change and what is the GitHub implementation, @amjoseph-nixpkgs was rightfully complaining about the intermixing)
Nominating myself to help shepherd. |
Also, what about the pull requests which mysteriously vanish? Go ahead, try looking at the PR numbered one above (NixOS/nixpkgs#66439) or below (NixOS/nixpkgs#66437); both are there. What exactly happened here? |
I don't see how either question is on topic here, tbh |
This RFC does not touch on https://nixos.github.io/release-wiki/Release-Process.html which is a critical part of nixpkgs and requires direct pushes, at least for tagging purposes. I don't think the RFC can enter into action without (a) updating the release wiki (b) providing the appropriate replacements as long as they are reasonable. |
This was being discussed on Matrix. And I'd love to have another shepherd on this RFC so we can move forward. |
@infinisil an option that could exist to help, is an additional organization group for "trusted pushers" that can continue doing direct pushes, meaning that default committer access is not part of it. |
Is tag pushing restricted by branch protection? Do I understand correctly that a release branch is initialised as a copy of (But RFC will probably have to say something about both) |
After yesterday's chat on Matrix, @zimbatm rightfully pointed out that such simple decisions shouldn't get deadlocked on RFCs. So we decided to just try out enabling such branch protections for some time, see if it causes any problems, and remove it again if it causes problems (very unlikely): NixOS/nixpkgs#249117. And @RaitoBezarius was given exceptional direct push access until the release process doesn't use direct pushes anymore. I thank @zimbatm to probably all save us a whole bunch of time by not having to go through the RFC process for this! |
Not to self: Don't delete the branch, this RFC's contents are being referenced by NixOS/nixpkgs#249117 |
Removal of the direct push detection workflow: NixOS/nixpkgs#249151 |
Is the branch-protection that was just enabled also the reason for the "auto-merge" and blocking PRs with pending requested changes (even if I'm the one who filed the change requests)? Don't get me wrong, I'm not necessarily opposed to that[1], however as a committer I think it's reasonable to know about all changes made to the GH repo (to make sure I don't miss any change in process and mess something up) and generally I'd appreciate it if committers would at least be informed after doing that rather than having everyone to find out on their own why things are looking (and probably behaving) different. [1] Though I'm somewhat skeptical about the blocked merge in case of pending change requests |
@Ma27 Oh that's a good point, but let's discuss it here: NixOS/nixpkgs#249117 (comment) |
Require pull requests for all Nixpkgs commits. A slimmer and updated version of #79.
Rendered