Page MenuHomePhabricator
Create Task
Maniphest T237337

Disable "Automated security fixes" on Wikimedia Org
Closed, ResolvedPublic
Actions

Description

As our GitHub are mostly just mirrors... "Automated security fixes" are mostly useless on an org level, and create a maintenance burden to close PR etc

Should we disable it globally, and then just re-enable it on any specific repo that actually want it/are developed canonically in GitHub?

https://github.com/organizations/wikimedia/settings/security

Noting this doesn't change the behaviour of the "Security Alerts", which are per repo, and the notifications are per user per their settings. It just stops the PR bot

Event Timeline

Reedy created this task.Nov 4 2019, 11:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 4 2019, 11:00 PM
MarcoAurelio subscribed.Nov 4 2019, 11:05 PM

+1. Let's just have those on "live" (non-mirror) repos over there. But keep the security alerts.

Reedy updated the task description. (Show Details)Nov 4 2019, 11:06 PM
Nikerabbit subscribed.Nov 5 2019, 10:16 AM

The bot creates quite a lot of email spam for me, as it seems to ignore the notification settings.

Reedy updated the task description. (Show Details)Nov 5 2019, 4:48 PM
Jdforrester-WMF added a project: Release-Engineering-Team-TODO.Nov 5 2019, 7:26 PM
Jdforrester-WMF subscribed.
Krinkle subscribed.Nov 5 2019, 8:45 PM

+1. Already disabled on various repos by hand. Thanks for creating this task.

Reedy triaged this task as High priority.Nov 5 2019, 9:04 PM

I intend to do this by the end of the week, barring any major issues/complaints.

It seems fruitful to publicise this on mediawiki-l/wikitech-l, and that anyone who requires this feature on a specific repo turns it on again. Which is obviously less work than just leaving it globally on and having to turn it off for most repos

MarcoAurelio added a comment.Nov 5 2019, 9:17 PM
This comment was removed by MarcoAurelio.
Nikerabbit added a comment.Nov 7 2019, 9:29 AM

To be more specific I am getting notifications of pull requests from dependabot even for repositories I am not watching. The email footer says "You are receiving this because you have alerting access." and there doesn't seem to be any way to disable those per user, other than email filtering rules on receiving end.

Jdforrester-WMF added a comment.Nov 7 2019, 4:39 PM
In T237337#5643446, @Nikerabbit wrote:

To be more specific I am getting notifications of pull requests from dependabot even for repositories I am not watching. The email footer says "You are receiving this because you have alerting access." and there doesn't seem to be any way to disable those per user, other than email filtering rules on receiving end.

You're an org-admin ("Owner" in GitHub speak), so you can't disable them, I believe.

Reedy added a comment.Nov 9 2019, 1:35 AM

Disabled.. Emails to come

Reedy closed this task as Resolved.Nov 9 2019, 1:43 AM
Reedy claimed this task.

https://lists.wikimedia.org/pipermail/wikitech-l/2019-November/092738.html and https://lists.wikimedia.org/pipermail/mediawiki-l/2019-November/048186.html

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits