approve.auto_approve_usernames

Added

• add approve.auto_approve_usernames to enable Kodiak to auto approve PRs. This option enables bots like Dependabot to automatically merge PRs when the GitHub Branch Protection "Required approving reviews" is configured. See https://kodiakhq.com/docs/recipes#automated-dependency-updates-with-dependabot for an example.

Improved event processing and update efficiency

Fixed

• fixed status event handler triggering reevaluations of all PRs in a repository. Now we only trigger updates for PRs directly related to a status event. (#248)
• replaced inaccurate webhook event schemas with simplified versions to curtail parsing errors. Now we only parse the little information we need from each webhook event. This issue was preventing some webhook events from triggering reevaluations of PRs. (#262, #261)

fix branch deletion and PR evaluation on branch update

Fixed

• fixed merge.delete_branch_on_merge deleting branches that had open PRs against them. This fix eliminates a confusing bug where it would look like Kodiak closed the dependent PR. What happened was Kodiak deleted a branch on which that PR was dependent, so the PR was forced to be closed by GitHub. (#232)
• fixed bug in webhook event handling where we wouldn't trigger evaluation for PRs when their dependent branch updated. We now use the push event to trigger evaluation of PRs that depend on the pushed ref. (#244)

.github/.kodiak.toml and partial commit signature support

Added

• add support for placing .kodiak.toml at .github/.kodiak.toml.

Changed

• updated warnings to allow commit signature branch protection setting when "merge" is configured as Kodiak's merge method. Kodiak is able to create signatures for merge commits, but not for squash and rebase merge methods (GitHub limitation).

Fixed

• add handling to support reviews created by bots. A bot is not compatible with user API endpoints, so when a bot review was added Kodiak would fail when evaluating permissions on the bot.

update.always and update.require_automerge_label

Added

• add update.always and update.require_automerge_label configuration options. When update.always = true, Kodiak will update a branch immediately, regardless of failing mergeability requirements (e.g. missing/failing checks, title blacklist regex, blacklist labels). When update.require_automerge_label = false with update.always = true, Kodiak will update a PR even if missing the automerge label defined in merge.automerge_label.

Deprecated

• discourage use of merge.update_branch_immediately configuration option. This setting will not be removed, but its use is discouraged because it can produce unexpected results. The behavior of update.always is easier to understand.

the great refactoring

Changed

• refactored core update/merge eligibility logic. This was a large change and should make future features significantly easier to implement and test.

Security

• removed potential Regex Denial of Service (ReDoS) vulnerability from merge.blacklist_title_regex by using a regex engine (rure) that guarantees linear time searching.

updating forks

Added

• updating of PRs made from forks. The merges API endpoint Kodiak had been using for updating branches didn't work across forks due to GitHub permissions. A new API endpoint was released in late May 2019 that avoided any permission issue, but wasn't noticed until 2019-12-12 🤦‍♀️. This change should make Kodiak more useful for public projects.

merge.do_not_merge

Added

• GITHUB_PRIVATE_KEY_BASE64 environment variable to support configuring GitHub private key via base64. This is a workaround to support Docker's .env files, which do not allow multi-line or quoted values (#191, #192).
• merge.do_not_merge configuration option to support updating PRs without merging them (#187).

Changed

• deprecate merge.block_on_reviews_requested, which is fundamentally broken and cannot be fixed (#180, #182).

Fixed

• fixed travis-ci check compression to support deprecated travis-ci status check format (#166).

prioritize_ready_to_merge configuration

Added

• merge.prioritize_ready_to_merge configuration option to immediately merge a PR if it's mergeable instead of placing it in the merge queue. This allows PRs to bypass those waiting to update in the queue if they are mergeable. See the README for more details.

update_branch_immediately configuration

Added

• merge.update_branch_immediately configuration option to immediately update a PR when the target is updated instead of waiting until just before the PR is merged. See README.md#config-with-comments-and-all-options-set for a more detailed explanation of this feature and potential drawbacks (#120)