cigna / gitrdonebot Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
gitrdonebot's People
Contributors
Stargazers
Watchers
gitrdonebot's Issues
Comment when no assignee on MR
Proposed feature: if MR assigneeId is null, grab a list of repo members and randomly suggest one of them to assign to.
Further design questions to discuss:
- could either be a potential enhancement for existing BotAction (TooManyAssigned or SelfMerge) or a standalone BotAction
- limitations of GitLab API in grabbing repo members by project ID only - members with inherited permissions from group will not show up
- how would the presence of a
CODEOWNERSfile affect this feature?
Consistency of threshold checks for bot actions
Make sure the threshold checks are consistent across all bot actions, specifically for including the min or max of the threshold.
Overhaul logging
Currently, the logging is very basic and not optimized from an Ops/Observability perspective. Let's take a look at how we can refresh our logging to:
- have better error vs info vs debug logging
- refine which objects/object properties are logged
Refactor GitLabResponse Classes?
There is a decent amount of overlap between the GitLabGetResponse and GitLabPostResponse classes. We should look into refactoring to either combine them into a single class, or creating a base abstract class to extend them both from.
Gamification of GRDB
Gamification - things like tracking and reporting on streaks, potentially introducing leaderboards, etc - could increase adoption of good Merge Request practices.
Make `New GitWhoDis` Accept Configurable Options
Allow groups hosting instances of GRDBot to configure their default GitLAb user account names globally.
For example: a default GitLab user for a company is a specifically formatted LAN ID.
npm audit found vulnerabilities
=== npm audit security report ===
# Run npm update ini --depth 8 to resolve 18 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/cli > @serverless/core > │
│ │ package-json > registry-auth-token > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/cli > @serverless/template > │
│ │ @serverless/core > package-json > registry-auth-token > rc > │
│ │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > update-notifier > latest-version > │
│ │ package-json > registry-auth-token > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/cli > @serverless/core > │
│ │ package-json > registry-url > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/cli > @serverless/template > │
│ │ @serverless/core > package-json > registry-url > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > update-notifier > latest-version > │
│ │ package-json > registry-url > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/cli > @serverless/utils > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/utils > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/components > │
│ │ @serverless/platform-sdk > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/enterprise-plugin > │
│ │ @serverless/platform-sdk > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/components > @serverless/utils > rc │
│ │ > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > update-notifier > latest-version > package-json │
│ │ > registry-auth-token > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > update-notifier > latest-version > package-json │
│ │ > registry-url > rc > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/components > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > download > caw > get-proxy > npm-conf > │
│ │ config-chain > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > update-notifier > is-installed-globally > │
│ │ global-dirs > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > update-notifier > is-installed-globally │
│ │ > global-dirs > ini │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1589 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 18 low severity vulnerabilities in 1651 scanned packages
run `npm audit fix` to fix 18 of them.
Set up Actions for test automation
Bot Action Class as an Abstract Class?
We do not have any need for actual instances of the Bot Action class, only extension. We should look into making this an abstract class.
Add hyperlinks back into hashtag comments
Once our documentation is public, reintroduce hyperlinks that point to those docs to the GRDBot message hashtags.
Consistent Naming In Tests
Ensure naming refactors have been carried over to all tests, including test descriptions and comments, for maintainability.
Improve clarity of links to resources
Look into ways of redesigning hashtags in messages GRDB leaves on MR to make it clear that they are hyperlinks to useful resources.
GenericResponse rename?
Should we rename GenericResponse to be more clear or make it extensible (then have BotActionResponse extend it)? The current implementation could cause confusion because right now it is "generic" but not related to a more specific response.
Add back logging of incoming event for observability
Need to add back logging of incoming event to troubleshoot errors.
Example from today:
{
"errorType": "TypeError",
"errorMessage": "Cannot read property 'author' of null",
"stack": [
"TypeError: Cannot read property 'author' of null",
" at Object.exports.getMergeRequestEventData (\/var\/task\/src\/merge_request\/helpers.js:19:58)",
" at Object.<anonymous> (\/var\/task\/src\/bot_actions\/bot_action.js:101:51)",
" at Generator.next (<anonymous>)",
" at \/var\/task\/src\/bot_actions\/bot_action.js:8:71",
" at new Promise (<anonymous>)",
" at __awaiter (\/var\/task\/src\/bot_actions\/bot_action.js:4:12)",
" at Object.runBotActions (\/var\/task\/src\/bot_actions\/bot_action.js:100:12)",
" at \/var\/task\/handler.js:69:56",
" at Generator.next (<anonymous>)",
" at fulfilled (\/var\/task\/handler.js:5:58)"
]
}
Publish code documentation to gitpages
Blocker - need to get GitHub Actions up and running, then use existing npm script job to publish code documentation.
Provide feedback for an invalid config file
Users could be adding custom config files that are invalid in some way (e.g. misspelled property names, invalid thresholds) and not know it. We could add a section to the GRDBot comment to let users know so they can take steps to fix it if they choose.
Introductory Hello from GRDB
It would be helpful for GRDB to post some helpful tips and tricks when it is added to a project for the first time. This could be in the form of opening a new "Introductory Hello from GRDB" Issue that would lay out the good Merge Request practices GRDB encourages teams to adopt. Additionally, GRDB could highlight some useful default project settings.
Automate Npm Audit Fix
Schedule regular, automated fixes (and post-fix testing) to the extent possible, perhaps using GitHub Actions.
OPS Priority: Serverless deprecations need to be addressed ASAP
Deprecation warning: Detected ".env" files. Note that Framework now supports loading variables from those files when "useDotenv: true" is set (and that will be the default from next major release)More InfoDeprecation warning: Starting with next major version, default value of provider.lambdaHashingVersion will be equal to "20201221"More InfoDeprecation warning: Starting with next major version, API Gateway naming will be changed from "{stage}-{service}" to "{service}-{stage}". Set "provider.apiGateway.shouldStartNameWithService" to "true" to adapt to the new behavior now.More InfoDeprecation warning: Starting with next major version, API Gateway-specific configuration keys "apiKeys", "resourcePolicy" and "usagePlan" will be relocated from "provider" to "provider.apiGateway"More Info
`apiRequest` object is confusing
apiRequestas a part of the response object can be kind of confusing.- Should we just tack those values onto the base response object?
- This might not be an issue if we combine the response objects #6
Update Custom Config
TooManyAssigned Bot Action has constructiveFeedbackOnlyToggle property in the .grdb.json config file but doesn't need it.
SelfMerge needs a custom config section, but doesn't have it.
Overall, we show little use of this feature in general, should we prioritize or retire it?
Comment when there are too many Similar Commit Messages
Very similar Commit Messages in a MR may not always be ideal.
Note: We should consider if commit message analysis belongs in an MR specific bot? There does not seems to be another more appropriate event.
Research
Good use of similar commit messages
update: add unit tests to feature_branch_1update: add unit tests to feature_branch_2chore: remove commented-out code from devchore: rebase local branch from dev
Bad use of similar commit messages
remove filesremove testsworking code?working test?
Notice: One is indicative of a sense of order and parallelism. The other shows a lazy programmer using the same type of commit messages for a variety of loosely related scenarios`.
A few approaches that might work
- Check whether any commit message contains any other commit message
- Calculate the string distance between the two closes strings
- Calculate the average pairwise string distance between every string.
Nag toggle/Sassy Meter
People might have fun with being able to get sassier comments. We should allow teams to customize comment type so they can get either "cheeky" or more "enthusiastic" comments. This would also enable a wider variety of messages so teams don't get accustomed and "code blind" to seeing the same message all the time.
We should enable two settings:
- a constant rotation of diverse comments for the same Bot Action
- progressively "sassier" comments if the same person/team continuously violates the same BotAction good behavior
Add a contributing guidelines doc on `purpose of bot actions` which includes clear scope.
What makes a proposed feature a good bot action? What kinds of things do we want tackle? We need to make sure we communicate this clearly in the README to guide future contributions.
Replace 3rd Party `Parse Diff Package`
The current package is out of sync with newer version of GitLab and is no longer being supported.
Look for a better library and if none exists, write our own.
"warmup" plugin offered by Serverless?
Individual hosting teams might create a CloudWatch Rule that pings the lambda every 15 minutes to keep it "warm" as outlined in this article.
The serverless framework now offers a "warmup" plugin that may provide a more elegant solution to this problem and reduce operations overhead.
This issue should investigate the plugin approach to address the cold start problem.
npm audit found vulnerabilities
=== npm audit security report ===
# Run npm install [email protected] to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/components > │
│ │ @serverless/platform-client > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Server-Side Request Forgery │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > @serverless/enterprise-plugin > │
│ │ @serverless/platform-client > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1594 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 1651 scanned packages
2 vulnerabilities require semver-major dependency updates.
Reassess which property is being used to calculate oldest commit age
When computing the oldestCommit value for BranchAge Bot Action, we currently calculate by comparing the created_at timestamp to the timestamp of the time we receive the Merge Request Hook event from GitLab.
However, I have observed cases where the created_at and committed_date values (along with the actual id of the commit) change while the authored_date stays the same for the same commit. Further investigation is required to understand under which circumstances this change takes place.
I propose that we update BranchAge to calculate oldestCommit value based on authored_date.
See below for a real example (with user data masked) pulled from the logs today:
The commit when the MR event first got sent to GRDBot
{
"name": "BranchAge",
"statusCode": 200,
"action": {
"goodGitPractice": false,
"mrNote": ":loudspeaker: This merge request has a pretty old commit. You should try and merge more frequently to keep your commits on branches fresh. [#BranchAgeAnalysis](https:\/\/github.com\/Cigna\/GitRDoneBot#2-branch-age)"
},
"computedValues": {
"oldestCommit": {
"id": "a1234",
"short_id": "a12",
"created_at": "2020-12-11T20:07:07.000Z",
"parent_ids": [],
"title": "does some stuff",
"message": "does some stuff",
"author_name": "River Tam",
"author_email": "[email protected]",
"authored_date": "2020-12-08T20:18:48.000Z",
"committer_name": "River Tam",
"committer_email": "[email protected]",
"committed_date": "2020-12-11T20:07:07.000Z"
}
}
The same commit when the MR sent an update event 10 minutes later
{
"name": "BranchAge",
"statusCode": 200,
"action": {
"goodGitPractice": true,
"mrNote": ":star: It\u2019s great that you\u2019re committing and merging code frequently - the commits on this branch aren\u2019t old or stale. Good job! [#BranchAgeAnalysis](https:\/\/github.com\/Cigna\/GitRDoneBot#2-branch-age)"
},
"computedValues": {
"oldestCommit": {
"id": "b1234",
"short_id": "b12",
"created_at": "2021-01-11T19:01:50.000Z",
"parent_ids": [],
"title": "does some stuff",
"message": "does some stuff",
"author_name": "River Tam",
"author_email": "[email protected]",
"authored_date": "2020-12-08T20:18:48.000Z",
"committer_name": "River Tam",
"committer_email": "[email protected]",
"committed_date": "2021-01-11T19:01:50.000Z"
}
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.