From 6fa09ab0eef3239e107e75ce1b5f6a39b7b3cf38 Mon Sep 17 00:00:00 2001
From: Dawid Dziurla <dawidd0811@gmail.com>
Date: Wed, 6 May 2020 16:53:39 +0200
Subject: [PATCH] pr-automerge: match only approved PRs by default

Also remove default `--with-label` value and add `--without-approval`
option.

Reviews could be automatically dismissed on new commits pushed (there is
an option for that in repository settings on Github). That is not the
case for labels. They remain attached to a PR, even when new commits are
pushed. This is undesirable and creates security concerns, because
someone could introduce untested code just before the automerge happens.

Co-authored-by: Eric Knibbe <enk3@outlook.com>
---
 Library/Homebrew/dev-cmd/pr-automerge.rb | 11 +++++++----
 docs/Manpage.md                          |  4 +++-
 manpages/brew-cask.1                     |  2 +-
 manpages/brew.1                          |  8 ++++++--
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/Library/Homebrew/dev-cmd/pr-automerge.rb b/Library/Homebrew/dev-cmd/pr-automerge.rb
index 471cfc2c7e..c7aadd8ea1 100644
--- a/Library/Homebrew/dev-cmd/pr-automerge.rb
+++ b/Library/Homebrew/dev-cmd/pr-automerge.rb
@@ -16,9 +16,11 @@ module Homebrew
       flag   "--tap=",
              description: "Target tap repository (default: `homebrew/core`)."
       flag   "--with-label=",
-             description: "Pull requests must have this label (default: `ready to merge`)."
+             description: "Pull requests must have this label."
       comma_array "--without-labels=",
                   description: "Pull requests must not have these labels (default: `do not merge`, `new formula`)."
+      switch "--without-approval",
+             description: "Pull requests do not require approval to be merged."
       switch "--publish",
              description: "Run `brew pr-publish` on matching pull requests."
       switch "--ignore-failures",
@@ -33,12 +35,13 @@ module Homebrew
     pr_automerge_args.parse
 
     ENV["HOMEBREW_FORCE_HOMEBREW_ON_LINUX"] = "1" unless OS.mac?
-    with_label = Homebrew.args.with_label || "ready to merge"
     without_labels = Homebrew.args.without_labels || ["do not merge", "new formula"]
     tap = Tap.fetch(Homebrew.args.tap || CoreTap.instance.name)
 
-    query = "is:pr is:open repo:#{tap.full_name} label:\"#{with_label}\""
-    query += args.ignore_failures? ? " -status:pending" : " status:success"
+    query = "is:pr is:open repo:#{tap.full_name}"
+    query += Homebrew.args.ignore_failures? ? " -status:pending" : " status:success"
+    query += " review:approved" unless Homebrew.args.without_approval?
+    query += " label:\"#{with_label}\"" if Homebrew.args.with_label
     without_labels&.each { |label| query += " -label:\"#{label}\"" }
     odebug "Searching: #{query}"
 
diff --git a/docs/Manpage.md b/docs/Manpage.md
index a6eccb4505..aaae77fd29 100644
--- a/docs/Manpage.md
+++ b/docs/Manpage.md
@@ -858,9 +858,11 @@ Find pull requests that can be automatically merged using `brew pr-publish`.
 * `--tap`:
   Target tap repository (default: `homebrew/core`).
 * `--with-label`:
-  Pull requests must have this label (default: `ready to merge`).
+  Pull requests must have this label.
 * `--without-labels`:
   Pull requests must not have these labels (default: `do not merge`, `new formula`).
+* `--without-approval`:
+  Pull requests do not require approval to be merged.
 * `--publish`:
   Run `brew pr-publish` on matching pull requests.
 * `--ignore-failures`:
diff --git a/manpages/brew-cask.1 b/manpages/brew-cask.1
index f9487b6347..1e989ae15e 100644
--- a/manpages/brew-cask.1
+++ b/manpages/brew-cask.1
@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "BREW\-CASK" "1" "April 2020" "Homebrew" "brew-cask"
+.TH "BREW\-CASK" "1" "May 2020" "Homebrew" "brew-cask"
 .
 .SH "NAME"
 \fBbrew\-cask\fR \- a friendly binary installer for macOS
diff --git a/manpages/brew.1 b/manpages/brew.1
index 39b4c97fdd..0cd099327f 100644
--- a/manpages/brew.1
+++ b/manpages/brew.1
@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "BREW" "1" "April 2020" "Homebrew" "brew"
+.TH "BREW" "1" "May 2020" "Homebrew" "brew"
 .
 .SH "NAME"
 \fBbrew\fR \- The Missing Package Manager for macOS
@@ -1103,13 +1103,17 @@ Target tap repository (default: \fBhomebrew/core\fR)\.
 .
 .TP
 \fB\-\-with\-label\fR
-Pull requests must have this label (default: \fBready to merge\fR)\.
+Pull requests must have this label\.
 .
 .TP
 \fB\-\-without\-labels\fR
 Pull requests must not have these labels (default: \fBdo not merge\fR, \fBnew formula\fR)\.
 .
 .TP
+\fB\-\-without\-approval\fR
+Pull requests do not require approval to be merged\.
+.
+.TP
 \fB\-\-publish\fR
 Run \fBbrew pr\-publish\fR on matching pull requests\.
 .