rulesets: implement allowed-merge-apps

[marcoieni]

Close #2198

[marcoieni]

It was already present in the branch protection. See #2046

[marcoieni]

for simplicity, I put directly the ID, to avoid having another rest API to call GitHub to query for the ID.
Also, this app is only used in crates-io, so I thought adding an enum between app name and ID was overengineering. We can refine this later if needed.

You can see from the screenshot of the issue linked in the PR body that this app is in the bypass list.

[Kobzol]

Tbh I would rather add the enum variant to document what are all the integrations that we care about (and hardcode the app ID in code, same as we do for bors and Renovatebot).

[github-actions]

Dry-run check results

[WARN  sync_team] sync-team is running in dry mode, no changes will be applied.
[INFO  sync_team] synchronizing crates-io
[INFO  sync_team] synchronizing github
[INFO  sync_team] 💻 Repo Diffs:
    📝 Editing repo 'rust-lang/crates.io':
      Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])

[marcoieni]

From https://docs.github.com/en/rest/repos/rules?apiVersion=2022-11-28#get-a-repository-ruleset:

[marcoieni]

adding this to minimize the sync team dry run diff

[marcoieni]

@Kobzol one doubt I have: does it makes sense to have merge-bots and bypass-app-ids separated?

[Kobzol]

No, I don't think so. I would suggest merging (:laughing:) merge-bots and bypass-app-ids into allowed-merge-apps, to mirror the already existing allowed-merge-teams.

[marcoieni]

If I delete merge-bots than retrocompatibility becomes a mess. I.e. I need to change all repos files 🤔
Should we do it in another PR?
Should I momentarely add this github app in "merge-bots"? and then rename it in a separate PR?

[Kobzol]

merge-bots is currently used only on rust-lang/rust and nowhere else, so I don't see why we would need to change all repo files 🤔

[marcoieni]

Here is the dry run diff:

Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])

updating the branch to a fixed one from the default is fine.
The bypass actors are changing, but I wonder if this is because the dry run read token doesn't have the read permission for the bypass actors.

EDIT: AI confirmed that's the case

[Kobzol]

This is not for this PR, but I think that those two (along with forbid creation) should be the default.

[marcoieni]

I removed homu because it was unused.
Also I kept the "MergeBot" name here to minimize LoC changed for this PR

[marcoieni]

Not sure why after my latest changes the dry run diff increased:

    📝 Editing repo 'rust-lang/crates.io':
      Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])
            Require code owner review: deleting `false`
            Required status checks: deleting `Backend / Lint (integration_id: 15368), Backend / Test (integration_id: 15368), Backend / dependencies (integration_id: 15368), Frontend / Lint (integration_id: 15368), Frontend / Test (integration_id: 15368)`
            Strict policy for status checks: deleting `false`
            Required approvals: deleting `0`
            Dismiss stale reviews on push: deleting `false`
            Require review thread resolution: deleting `false`
            Require last push approval: deleting `false`

[marcoieni]

I think AI is right:

I'm investigating how I can fix this

[marcoieni]

I decided to setup this field explicitly instead of inferring it via code (in case the app is bors).
But let's see the dry run.

[Kobzol]

This should be changed to check if allowed_merge_apps contains Bors (not just that it is empty). That should fix the diff.

[marcoieni]

yes, but I thought that having the config more explicit was better instead of this custom logic. Wdyt? 🤔

[Kobzol]

I think that this logic is fine. The high-level config should be "bors managed this branch", and then team should do whatever is necessary to make that happen. Setting pr-required = false just exposes (just one) implementation detail of that. So I'd rather just say that bors can push to this branch, and interpret that is it being bors managed, and set the various protection options accordingly.

[marcoieni]

ok, I'll change this

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[marcoieni]

The dry run looks good now:

    📝 Editing repo 'rust-lang/crates.io':
      Rulesets:
          Updating 'main'
            Include Branches: ["~DEFAULT_BRANCH"] => ["refs/heads/main"]
            Bypass Actors: None => Some([RulesetBypassActor { actor_id: 2201425, actor_type: Integration, bypass_mode: Always }])