The process of dependency updates using `dependabot` is hindered

[XiShanYongYe-Chang]

Hello, maintainers~

We recently improved in our repo by using dependabot to automatically upgrade dependencies. However, we encountered an issue: some of the dependencies in this repository are for the node.js environment, and their package prefixes include the '@' symbol. When dependabot submits a PR, it includes the package name in the commit message and the PR title, like this:

build(deps-dev): bump @changesets/cli from 2.27.6 to 2.29.8 in /u

You can also check it in karmada-io/dashboard#326

In addition, the repo also uses prow for label management. However, the invalidcommitmsg plugin does not allow commit messages to contain the '@' symbol, nor does it allow the title of a Pull Request to contain the '@' symbol. This creates a conflict: we need to manually remove the '@' symbol from the PR title and modify the commit message accordingly.

prow/pkg/plugins/invalidcommitmsg/invalidcommitmsg.go

Line 39 in 476eedb

invalidCommitMsgCommentBody = `[Keywords](https://help.github.com/articles/closing-issues-using-keywords) which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

prow/pkg/plugins/invalidcommitmsg/invalidcommitmsg.go

Line 51 in 476eedb

invalidTitleCommentBody = `[Keywords](https://help.github.com/articles/closing-issues-using-keywords) which can automatically close issues and at(@) mentions are not allowed in the title of a Pull Request.

I checked the relevant commit information and found that this was done to prevent a large amount of spam emails.

I conducted a test in my public repository by including the "@" symbol in the commit message or PR title, followed by specifying a real GitHub account. The owner of this account did not receive any email, even though they had set up email notifications and their notification settings for the repository were set to "Participating and @mentions." In addition, I checked the relevant information provided by GitHub Configuring notifications, which does not seem to indicate that including the "@" symbol in commit messages or PR titles would trigger the platform to send emails to the specified GitHub account.

If my testing method was incorrect, please help me correct it. Thank you!

Based on the above background, I would like to consult whether the check rule for the "@" symbol in the invalidcommitmsg plugin is still necessary. Could there be a configurable option to allow users to choose to skip the check for the "@" symbol?

Looking forward to your reply, thank you.

[XiShanYongYe-Chang]

Hi @petr-muller @BenTheElder I'm very sorry to disturb you, but would you be willing to take a look?

[BenTheElder]

Hi @petr-muller @BenTheElder I'm very sorry to disturb you, but would you be willing to take a look?

@XiShanYongYe-Chang in the future please just file an issue and the appropriate contributors will get to it when they can. We all have a lot to do, and one day is not long in this repo.

I conducted a test in my public repository by including the "@" symbol in the commit message or PR title, followed by specifying a real GitHub account. The owner of this account did not receive any email, even though they had set up email notifications and their notification settings for the repository were set to "Participating and @mentions." In addition, I checked the relevant information provided by GitHub Configuring notifications, which does not seem to indicate that including the "@" symbol in commit messages or PR titles would trigger the platform to send emails to the specified GitHub account.

I'm not sure about your testing, but I have personally had enourmous spam from this functionality in the past before kubernetes started blocking commits with it, it has notified me even when people are pushing the offending commit to their fork.

I don't remember it being documented behavior then, so I'm not thrilled about the idea of potentially permitting this spam again.

Note that prow is primarily sponsored as a SIG Testing project for developing Kubernetes itself and we are overloaded at the moment / in need of maintainers. I'm currently not working on prow and wrapped up in other Kubernetes bugs.

It would be great if dependabot had a way to escape these messages.

[BenTheElder]

Based on the above background, I would like to consult whether the check rule for the "@" symbol in the invalidcommitmsg plugin is still necessary. Could there be a configurable option to allow users to choose to skip the check for the "@" symbol?

Yes, opt-in config options are generally fine, especially if they are of very limited complexity.

[XiShanYongYe-Chang]

@BenTheElder Thank you very much for your reply.

@XiShanYongYe-Chang in the future please just file an issue and the appropriate contributors will get to it when they can. We all have a lot to do, and one day is not long in this repo.

Sorry for tagging you so abruptly. I think I will be familiar with the process by now, and I will patiently wait for someone who is familiar with the issue to respond to me. After receiving some clear guidance and decisions, I am also very willing to contribute.

Note that prow is primarily sponsored as a SIG Testing project for developing Kubernetes itself and we are overloaded at the moment / in need of maintainers. I'm currently not working on prow and wrapped up in other Kubernetes bugs.

Thanks, I got it.

Yes, opt-in config options are generally fine, especially if they are of very limited complexity.

If there are appropriate contributors to determine or guide, I would be happy to participate and contribute.

[XiShanYongYe-Chang]

I'm not sure about your testing, but I have personally had enourmous spam from this functionality in the past before kubernetes started blocking commits with it, it has notified me even when people are pushing the offending commit to their fork.

I understand the frustration of being bombarded with spam, so I paid close attention during my testing.

To help interested people better understand this issue, let me explain in detail how I conducted my tests:

I submitted a PR in my personal repository, using @ to reference an actual existing GitHub account in the commit and title of the PR. The PR is as follows:

XiShanYongYe-Chang/karmada#15

And then I have confirmed with the account owner that the event listening policy for his repository is Participating and @mentions. After submitting the PR, he did not receive any emails regarding it.

[matthyx]

@XiShanYongYe-Chang I was wondering if you could automate the PR re-titling with an action like that:

name: 'Rename Dependabot PR'

on:
  pull_request:
    types: [opened, reopened, synchronize] # Run when a PR is opened or new commits are pushed

jobs:
  rename:
    # Only run the job if the PR was opened by Dependabot
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      # Need permission to read the current PR and write the new title
      pull-requests: write 
      
    steps:
      - name: Get current PR details
        id: pr_details
        uses: actions/github-script@v7
        with:
          script: |
            // 1. Get the current title
            const currentTitle = context.payload.pull_request.title;
            
            // 2. Define the transformation logic (replace '@' with an empty string or ' ')
            // The regex matches '@' followed by any word character and replaces it with ' '
            // Example: 'bump @changesets/cli' -> 'bump changesets/cli'
            const newTitle = currentTitle.replace(/@(\w+)\//, '$1/'); 
            
            // If you want to completely remove the scope operator and just keep the package name:
            // const newTitle = currentTitle.replace('@', '');

            // Log the result and set it as an output variable
            console.log(`Original Title: ${currentTitle}`);
            console.log(`New Title:      ${newTitle}`);
            core.setOutput('new_title', newTitle);
            core.setOutput('pr_number', context.payload.pull_request.number);
            
      - name: Update PR Title
        # Only run if the title actually changed
        if: steps.pr_details.outputs.new_title != context.payload.pull_request.title
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            // Use the GitHub REST API to update the PR title
            const prNumber = core.getInput('pr_number');
            const newTitle = core.getInput('new_title');

            await github.rest.pulls.update({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber,
              title: newTitle,
            });
            
            console.log(`Successfully updated PR #${prNumber} title to: ${newTitle}`);

[XiShanYongYe-Chang]

@matthyx Thanks for your reply ^-^

However, commit messages seem unable to be resolved in this way.

To help interested people better understand this issue, let me explain in detail how I conducted my tests:

Is my test valid?

[matthyx]

I don't know about your test or the initial issue, but I trust @BenTheElder on that.

Here is an updated action that should take care of the message too:

name: 'Rename Dependabot PR and Body'

on:
  pull_request:
    types: [opened, reopened, synchronize]

jobs:
  rename:
    name: Rename PR Title and Body
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write # Still need write permission
      
    steps:
      - name: Prepare new Title and Body
        id: pr_details
        uses: actions/github-script@v7
        with:
          script: |
            // 1. Get the current title and body
            const currentTitle = context.payload.pull_request.title;
            const currentBody = context.payload.pull_request.body;
            
            // 2. Define the cleanup function
            // This function takes a string and removes the @ symbol from scoped package names:
            // e.g., '@changesets/cli' -> 'changesets/cli'
            // We use a global regex (g) to catch all instances in the body.
            const cleanupText = (text) => {
              if (!text) return '';
              // Regex: matches @ followed by one or more word characters, followed by /, and replaces it with the captured group ($1) and the /
              // It handles both title and body content.
              return text.replace(/@(\w+)\//g, '$1/'); 
            };
            
            // 3. Apply the cleanup function
            const newTitle = cleanupText(currentTitle);
            const newBody = cleanupText(currentBody);

            // Log the results
            console.log(`Original Title: ${currentTitle}`);
            console.log(`New Title:      ${newTitle}`);
            console.log(`Original Body (snippet): ${currentBody.substring(0, 50)}...`);
            console.log(`New Body (snippet): ${newBody.substring(0, 50)}...`);

            // 4. Set output variables
            core.setOutput('new_title', newTitle);
            core.setOutput('new_body', newBody);
            core.setOutput('pr_number', context.payload.pull_request.number);
            
      - name: Update PR Title and Body
        # Only run if the title or body actually changed
        if: steps.pr_details.outputs.new_title != context.payload.pull_request.title || steps.pr_details.outputs.new_body != context.payload.pull_request.body
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const prNumber = core.getInput('pr_number');
            const newTitle = core.getInput('new_title');
            const newBody = core.getInput('new_body');
            
            // Use the GitHub REST API to update the PR, including the new body
            await github.rest.pulls.update({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber,
              title: newTitle,
              body: newBody, // <--- This line updates the PR message
            });
            
            console.log(`Successfully updated PR #${prNumber} title and body.`);

[XiShanYongYe-Chang]

Yes, opt-in config options are generally fine, especially if they are of very limited complexity.

Hi @matthyx, in fact, I tend to agree with this viewpoint, setting it up to be configurable, though I'm unsure about the difficulty level.

[XiShanYongYe-Chang]

Here is an updated action that should take care of the message too:

Thanks @matthyx, let me have a try~

[RainbowMango]

Glad to meet you here @BenTheElder~

I believe what @BenTheElder said, that invalidcommitmsg was added for good reasons at the time.

Given GitHub has evolved, I think we should first confirm whether the original risk that invalidcommitmsg was guarding against still exists. If no, or partly no, we could consider relief from the invalidcommitmsg. Maybe we can reach out to the GitHub support team to confirm the behavior.

If the risk is still present, consider the two approaches:

• Ask Dependabot team to change the way it sends PRs.
• Enhance invalidcommitmsg with configuration: allow ignore rules and/or a maintainer-approved override path.

[XiShanYongYe-Chang]

@matthyx I make some minor modifcation to the script, and successfully changed the title.

name: 'Rename Dependabot PR and Body'

on:
  pull_request:
    types: [opened, reopened, synchronize]

jobs:
  rename:
    name: Rename PR Title and Body
    # if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write # Still need write permission
      
    steps:
      - name: Prepare new Title and Body
        id: pr_details
        uses: actions/github-script@v7
        with:
          script: |
            // 1. Get the current title and body
            const currentTitle = context.payload.pull_request.title;
            const currentBody = context.payload.pull_request.body;
            
            // 2. Define the cleanup function
            // This function removes the @ symbol from:
            // - scoped package names: '@changesets/cli' -> 'changesets/cli'
            // - GitHub usernames: '@xx-abc' -> 'xx-abc'
            // - package names with hyphens: '@angular-devkit/build-angular' -> 'angular-devkit/build-angular'
            // We use a global regex (g) to catch all instances in the body.
            const cleanupText = (text) => {
              if (!text) return '';
              // Regex: matches @ followed by one or more word characters or hyphens
              // [\w-]+ matches word characters (a-z, A-Z, 0-9, _) and hyphens
              // This handles both '@scope/package' and '@username' patterns
              return text.replace(/@([\w-]+)/g, '$1'); 
            };
            
            // 3. Apply the cleanup function
            const newTitle = cleanupText(currentTitle);
            const newBody = cleanupText(currentBody);

            // Log the results
            console.log(`Original Title: ${currentTitle}`);
            console.log(`New Title:      ${newTitle}`);
            console.log(`Original Body (snippet): ${currentBody.substring(0, 50)}...`);
            console.log(`New Body (snippet): ${newBody.substring(0, 50)}...`);

            // 4. Set output variables
            core.setOutput('new_title', newTitle);
            core.setOutput('new_body', newBody);
            core.setOutput('pr_number', context.payload.pull_request.number);
            
      - name: Update PR Title and Body
        # Only run if the title or body actually changed
        if: steps.pr_details.outputs.new_title != github.event.pull_request.title || steps.pr_details.outputs.new_body != github.event.pull_request.body
        env:
          PR_NUMBER: ${{ steps.pr_details.outputs.pr_number }}
          NEW_TITLE: ${{ steps.pr_details.outputs.new_title }}
          NEW_BODY: ${{ steps.pr_details.outputs.new_body }}
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const prNumber = parseInt(process.env.PR_NUMBER);
            const newTitle = process.env.NEW_TITLE;
            const newBody = process.env.NEW_BODY;
            
            // Use the GitHub REST API to update the PR, including the new body
            await github.rest.pulls.update({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber,
              title: newTitle,
              body: newBody, // <--- This line updates the PR message
            });
            
            console.log(`Successfully updated PR #${prNumber} title and body.`);

https://github.com/XiShanYongYe-Chang/karmada/actions/runs/20218617958/job/58035948489

This script modifies the PR description for annother content, but it can not change the commit message. I think that is may not be easy to achieve through action.

[matthyx]

oh, right, sorry I thought you only needed to change the PR title and eventually the message - I didn't read correctly that you wanted to change the commit too...