Third party write access to code repositories is expressly forbidden by 
Foundation policy:

https://infra.apache.org/repository-access.html 
<https://infra.apache.org/repository-access.html>



Infra has worked with GitHub to prevent dependabot from being able to write to 
our repos, but it appears that it is still able to under some circumstances. We 
will open yet another support case with GitHub regarding this.

Here is an example of a third party commit:

https://github.com/apache/commons-io/pull/264 
<https://github.com/apache/commons-io/pull/264>

https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339%40%3Ccommits.commons.apache.org%3E
 
<https://lists.apache.org/thread.html/ra4ca6fdfd6dd75e4579c334ca7f012df69ca00908dd48b645c1a7339@%3Ccommits.commons.apache.org%3E>


This write access to commons-io appears to be in violation of the 
aforementioned policy. 

Dependabot's email alerts are currently the only acceptable method for working 
with the tool.


-Chris
ASF Infra



> On Aug 30, 2021, at 10:53 AM, Gary Gregory <garydgreg...@gmail.com> wrote:
> 
> The Apache git repo must be mirrored from Apache to GitHub, for example
> https://github.com/apache/commons-io, then you add a .github folder and
> files (see above link).
> 
> Gary
> 
> On Mon, Aug 30, 2021, 09:43 Lewis John McGibbney <lewi...@apache.org> wrote:
> 
>> Thanks Gary and Sebb.
>> How do I turn dependabot on? Last time I tried I was informed that due to
>> the program requiring write permissions to the repository, it wasn’t
>> possible…
>> This policy must have changed…
>> Thanks for any info.
>> lewismc
>> 
>> On 2021/08/29 14:42:00 Gary Gregory wrote:
>>> Most of Apache Common's components' are happy users of Dependabot, which
>> is
>>> used on our GitHub mirrored repositories.
>>> 
>>> Gary
>>> 
>>> 
>>> On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org>
>> wrote:
>>> 
>>>> Hi builds@,
>>>> I was advised to ask my question here instead of general@incubator.
>>>> Thanks for any feedback
>>>> 
>>>>> I understand that we cannot use automated tooling, specifically
>> Dependbot
>>>> (
>>>>> https://dependabot.com/) because it requests write access to the ASF
>>>>> project source code.
>>>>> I have found this functionality to be really useful and wondered if
>> there
>>>>> are any suggestions out there for automating the dependency
>> management
>>>>> workflow?
>>>>> Thanks for any feedback.
>>>>> lewismc
>>>> --
>>>> http://home.apache.org/~lewismc/
>>>> http://people.apache.org/keys/committer/lewismc
>>>> 
>>> 
>> 

Reply via email to