In terms of what the service is checking, failure is the correct answer, but we should probably look at how we validate users to see if there is a clean way of handling accounts like dependabot (widespread usage external bots).
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related or that one is blocking others.
Learn more.
@mbarbero Looking at the issue, it looks like the current solution to the issue is to support the field github.com-dependabot. I'm concerned about the scalability and maintainability of this solution, as it pertains to additional types of active bots on other services. We would need to patch in new exception cases into the API for some services but not others. Are there any thoughts to how we can address this?
Issue is that we cannot really support "support@github.com" as a valid bot email without some context as this email address is used by many github services that we may or may not support. We need some context to describe why "support@github.com" is effectively considered as the email address of a bot account.
it comes down to scalability. How do we scale for things that we don't know yet? Do we go lax and just match on all bots that have a key of (sitename)-.* for watching for bots, or do we code specific bots and make patches whenever we introduce a new bot (which would be hard to maintain)
We just had a call to hash out the solution, and we will be updating our bot logic to check if any of the bot email addresses match the commit email address. This was pointed out as a potential use case for things like repository mirroring, and that these email addresses are aliases, rather than separate entities.
Additionally, there was no limiting of bots to the current project, which was pointed out in the above-stated call. The PR for this issue also fixes this issue.
Currently we ask that users track dependabot through the Bots API and not just apply it to projects. @mbarbero do you think we should add a bypass for dependabot since its so dang common, or should we stick with current methods for now?
I guess we could go with adding 49699333+dependabot[bot]@users.noreply.github.com (the current email address used by dependabot) to an allowlist (IIRC, we already have one, correct?)