Dependabot commits always fail ECA validation

In terms of what the service is checking, failure is the correct answer, but we should probably look at how we validate users to see if there is a clean way of handling accounts like dependabot (widespread usage external bots).

Before we do anything, let's wait for answers to our questions on the bug that triggered this issue: https://bugs.eclipse.org/bugs/show_bug.cgi?id=570548

@mbarbero Looking at the issue, it looks like the current solution to the issue is to support the field github.com-dependabot. I'm concerned about the scalability and maintainability of this solution, as it pertains to additional types of active bots on other services. We would need to patch in new exception cases into the API for some services but not others. Are there any thoughts to how we can address this?

Created by: mbarbero

Issue is that we cannot really support "support@github.com" as a valid bot email without some context as this email address is used by many github services that we may or may not support. We need some context to describe why "support@github.com" is effectively considered as the email address of a bot account.

@mbarbero that works for me.

@autumnfound Do you have any other questions or concerns? If not, let's add it to your to-do list!

I still have concerns but I can take care of it yeah

@autumnfound Please share, we can discuss this here!

it comes down to scalability. How do we scale for things that we don't know yet? Do we go lax and just match on all bots that have a key of (sitename)-.* for watching for bots, or do we code specific bots and make patches whenever we introduce a new bot (which would be hard to maintain)

We just had a call to hash out the solution, and we will be updating our bot logic to check if any of the bot email addresses match the commit email address. This was pointed out as a potential use case for things like repository mirroring, and that these email addresses are aliases, rather than separate entities.

Additionally, there was no limiting of bots to the current project, which was pointed out in the above-stated call. The PR for this issue also fixes this issue.

Created by: gdams

I have raised a feature request in the dependabot repo to help work around this. https://github.com/dependabot/dependabot-core/issues/3849

changed title from Dependabot commits always fail ECA validation to Dependabot commits always fail ECA validation

added Enhancement + 1 deleted label

added to epic eclipsefdn&15 (closed)

Currently we ask that users track dependabot through the Bots API and not just apply it to projects. @mbarbero do you think we should add a bypass for dependabot since its so dang common, or should we stick with current methods for now?

I guess we could go with adding 49699333+dependabot[bot]@users.noreply.github.com (the current email address used by dependabot) to an allowlist (IIRC, we already have one, correct?)

Let us know if you do that, so that we can remove the dependabot specifics from https://github.com/EclipseFdn/projects-bots-api/blob/master/src/main/jsonnet/extensions.jsonnet

Sounds good. I'll add this to my backlog and take care of it. Once its done I'll update this issue and ping you in it!

added statetodo label

assigned to @malowe

mentioned in merge request !90 (merged)

added statedone label and removed statetodo label

This change has been submitted, and I'll be pushing this live in the next few days.

mentioned in commit b9a5bb39

Change is live

closed

mentioned in commit 1e824278