pr-automerge: match only approved PRs by default

Also remove default `--with-label` value and add `--without-approval`
option.

Reviews could be automatically dismissed on new commits pushed (there is
an option for that in repository settings on Github). That is not the
case for labels. They remain attached to a PR, even when new commits are
pushed. This is undesirable and creates security concerns, because
someone could introduce untested code just before the automerge happens.

Co-authored-by: Eric Knibbe <enk3@outlook.com>

Library/Homebrew/dev-cmd/pr-automerge.rb

@@ -16,9 +16,11 @@ module Homebrew
       flag   "--tap=",
              description: "Target tap repository (default: `homebrew/core`)."
       flag   "--with-label=",
-             description: "Pull requests must have this label (default: `ready to merge`)."
+             description: "Pull requests must have this label."
       comma_array "--without-labels=",
                   description: "Pull requests must not have these labels (default: `do not merge`, `new formula`)."
+      switch "--without-approval",
+             description: "Pull requests do not require approval to be merged."
       switch "--publish",
              description: "Run `brew pr-publish` on matching pull requests."
       switch "--ignore-failures",
@@ -33,12 +35,13 @@ module Homebrew
     pr_automerge_args.parse
 
     ENV["HOMEBREW_FORCE_HOMEBREW_ON_LINUX"] = "1" unless OS.mac?
-    with_label = Homebrew.args.with_label || "ready to merge"
     without_labels = Homebrew.args.without_labels || ["do not merge", "new formula"]
     tap = Tap.fetch(Homebrew.args.tap || CoreTap.instance.name)
 
-    query = "is:pr is:open repo:#{tap.full_name} label:\"#{with_label}\""
+    query = "is:pr is:open repo:#{tap.full_name}"
-    query += args.ignore_failures? ? " -status:pending" : " status:success"
+    query += Homebrew.args.ignore_failures? ? " -status:pending" : " status:success"
+    query += " review:approved" unless Homebrew.args.without_approval?
+    query += " label:\"#{with_label}\"" if Homebrew.args.with_label
     without_labels&.each { |label| query += " -label:\"#{label}\"" }
     odebug "Searching: #{query}"
 

docs/Manpage.md

@@ -858,9 +858,11 @@ Find pull requests that can be automatically merged using `brew pr-publish`.
 * `--tap`:
   Target tap repository (default: `homebrew/core`).
 * `--with-label`:
-  Pull requests must have this label (default: `ready to merge`).
+  Pull requests must have this label.
 * `--without-labels`:
   Pull requests must not have these labels (default: `do not merge`, `new formula`).
+* `--without-approval`:
+  Pull requests do not require approval to be merged.
 * `--publish`:
   Run `brew pr-publish` on matching pull requests.
 * `--ignore-failures`:

manpages/brew-cask.1

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "BREW\-CASK" "1" "April 2020" "Homebrew" "brew-cask"
+.TH "BREW\-CASK" "1" "May 2020" "Homebrew" "brew-cask"
 .
 .SH "NAME"
 \fBbrew\-cask\fR \- a friendly binary installer for macOS

manpages/brew.1

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "BREW" "1" "April 2020" "Homebrew" "brew"
+.TH "BREW" "1" "May 2020" "Homebrew" "brew"
 .
 .SH "NAME"
 \fBbrew\fR \- The Missing Package Manager for macOS
@@ -1103,13 +1103,17 @@ Target tap repository (default: \fBhomebrew/core\fR)\.
 .
 .TP
 \fB\-\-with\-label\fR
-Pull requests must have this label (default: \fBready to merge\fR)\.
+Pull requests must have this label\.
 .
 .TP
 \fB\-\-without\-labels\fR
 Pull requests must not have these labels (default: \fBdo not merge\fR, \fBnew formula\fR)\.
 .
 .TP
+\fB\-\-without\-approval\fR
+Pull requests do not require approval to be merged\.
+.
+.TP
 \fB\-\-publish\fR
 Run \fBbrew pr\-publish\fR on matching pull requests\.
 .