Fully agree with you Ismaël.
The issue is that it CAN write directly. For example here: https://github.com/Fokko/avro/pull/35 If you ask dependabot to merge it, it will be merged into master. And therefore it will ask for write access to the repository. Recently dependabot has been acquired <https://dependabot.com/blog/hello-github/> by Github, so I guess we can ask Github to sign a CLA :-) It is worth a shot of discussing this upstream in the ASF. Dependabot letting us know when there is a library with known CVE's will make the software much saver. Cheers, Fokko Op di 28 mei 2019 om 10:46 schreef Ismaël Mejía <ieme...@gmail.com>: > +1 for Black, great idea and in line we the changes we did with > spotless for the Java code base. > > About dependabot I think this is an interesting case to discuss in > upstream apache lists. So far ASF allows bots that do not touch the > code, for example for metadata, as we do with the autolabeler bot. If > I undertand correctly dependabot does not change the code, it opens > Pull Requests and it is up to a committer to decide or not if the code > is good. Or does it write directly? > > I suppose that even if technically is possible, there could be an > authorship issue to be discussed. Can bots sign an ICLA :D living in > the future mates! > > On Tue, May 28, 2019 at 10:01 AM Driesprong, Fokko <fo...@driesprong.frl> > wrote: > > > > Thanks, Michael for working on this. I think having an auto formatter for > > Python is valuable since it will decrease the conflicts in the future. > For > > now, we need to do a big PR to get all the files in the correct format. > > > > We need to add to the CI: black --check --diff . This will throw a > non-zero > > exit code if there is something to format. So that the author of the PR > > needs to apply black to let the CI pass. We should make this part of the > > build.sh of the python3 project. > > > > I don't think that such a CI service exists, and I also think it is a bad > > idea. The author should format his code on forehand. > > > > I've also looked in setting up Dependabot for Avro, but this is against > the > > Apache rules because the Dependabot integration requires write > permissions > > on the repository which isn't allowed. Hope this helps. > > > > Cheers, Fokko > > > > Op di 28 mei 2019 om 03:39 schreef Michael A. Smith < > mich...@smith-li.com>: > > > > > I am working on making all the py and py3 code consistent with > > > https://github.com/python/black, but once done it’d be great if we > could > > > keep it consistent. I will look into adding hooks and stuff for > > > yetus/TravisCI, but is there a way to have an automation that can > > > periodically do all the formatting for us, and open pull requests with > any > > > changes required? > > > > > > I mean like dependabot, but instead of opening a pr to update > dependencies, > > > it opens a pr that does isort, black, docformatter, or whatever we > want. > > > > > > This way, we get consistent style without it being an “enforcement > > > priority” in prs by humans. If someone has a valuable contribution, we > > > don’t have to do a back-and-forth with them about style and formatting. > > > > > > If there’s interest I could look into implementing something with > existing > > > CI tools, or using github actions. > > > > > > What do y’all think? > > > >