RFR: 1072: Skara should validate the commit hash of a Backport PR

Kevin Rushforth kcr at openjdk.java.net
Mon Jun 7 23:20:41 UTC 2021

On Mon, 7 Jun 2021 23:09:25 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

> Add a check for "Backport <hash>" titles that the given hash isn't the head of the PR itself. If the user mistakenly uses that hash, Skara is very likely to get fooled into thinking the backport is clean.
> While investigating this, I also discovered that the CheckWorkItem was inconsistent with not repeating "backport" errors, so I implemented a general mechanism for this, which guarantees that the same exact error message is never repeated. I believe this will be good enough, and certainly better than the existing behavior.

bots/pr/src/main/java/org/openjdk/skara/bots/pr/CheckWorkItem.java line 232:

> 230:             if (m.matches()) {
> 231:                 var hash = new Hash(m.group(1));
> 232:                 if (pr.headHash().equals(hash)) {

Isn't it the hash of the first commit in the PR, rather than the HEAD commit of the PR, that is likely to cause the problem? In case there is more than one commit in the PR, might it be better to check whether it is an ancestor of the HEAD commit?


PR: https://git.openjdk.java.net/skara/pull/1184

More information about the skara-dev mailing list