Page MenuHomePhabricator

Disable "Automated security fixes" on Wikimedia Org
Closed, ResolvedPublic

Description

As our GitHub are mostly just mirrors... "Automated security fixes" are mostly useless on an org level, and create a maintenance burden to close PR etc

Should we disable it globally, and then just re-enable it on any specific repo that actually want it/are developed canonically in GitHub?

https://github.com/organizations/wikimedia/settings/security

Noting this doesn't change the behaviour of the "Security Alerts", which are per repo, and the notifications are per user per their settings. It just stops the PR bot

Event Timeline

Reedy created this task.Mon, Nov 4, 11:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Nov 4, 11:00 PM

+1. Let's just have those on "live" (non-mirror) repos over there. But keep the security alerts.

Reedy updated the task description. (Show Details)Mon, Nov 4, 11:06 PM

The bot creates quite a lot of email spam for me, as it seems to ignore the notification settings.

Reedy updated the task description. (Show Details)Tue, Nov 5, 4:48 PM
Krinkle added a subscriber: Krinkle.Tue, Nov 5, 8:45 PM

+1. Already disabled on various repos by hand. Thanks for creating this task.

Reedy triaged this task as High priority.Tue, Nov 5, 9:04 PM

I intend to do this by the end of the week, barring any major issues/complaints.

It seems fruitful to publicise this on mediawiki-l/wikitech-l, and that anyone who requires this feature on a specific repo turns it on again. Which is obviously less work than just leaving it globally on and having to turn it off for most repos

This comment was removed by MarcoAurelio.

To be more specific I am getting notifications of pull requests from dependabot even for repositories I am not watching. The email footer says "You are receiving this because you have alerting access." and there doesn't seem to be any way to disable those per user, other than email filtering rules on receiving end.

To be more specific I am getting notifications of pull requests from dependabot even for repositories I am not watching. The email footer says "You are receiving this because you have alerting access." and there doesn't seem to be any way to disable those per user, other than email filtering rules on receiving end.

You're an org-admin ("Owner" in GitHub speak), so you can't disable them, I believe.

Reedy added a comment.Sat, Nov 9, 1:35 AM

Disabled.. Emails to come