[guessmyname]

I did this 3 years ago.

I created a bot that would scan for private SSH keys to connect to AWS and other services, it also warned about leaked software licenses for SublimeText and other popular programs at the time. While many people appreciated the initiative, it was not taken the best way by others. Ultimately, GitHub suspended my account and I had to explain what was all about.

One year later, through my employer, I created another bot to scan for security vulnerabilities in projects written in Ruby, Python, PHP and Node.js; this time I already knew that I would need to contact GitHub beforehand to make sure what were the limits of the "automation". They simply stated that — at the time — no automation was allowed, which was quite surprising because CI is automation. Travis and other services are allowed to do things there so I didn't understand why my bot was different.

I reported to my employer that we would need to shutdown that project and move on to something different. One year later, I find that GitHub implemented a (semi) vulnerability scanner for a selected group of programming languages, warning the repository owners about problems with their software dependencies. I cannot be mad about this, it's their service, but it still made me a bit angry.

[michaelmior]

Assuming you're talking about a bot similar to the OP's that scans random projects you don't own, that's very different from CI which is explicitly configured by projects.

[d0lph]

But if they are maintaining "no automation" as a rule, CI should not really allowed.

[michaelmior]

This really depends on how you define automation. CI on GitHub depends on webhooks which is an officially supported part of the API. So there isn't anything unsolicited happening.

I just don't think there's any meaningful claim that CI explicitly configured by maintainers using officially supported channels should be lumped in the same category as automated scraping of repositories for creating PRs.

Sure, there are many definitions of automation that would include both of these things, but I think it's obvious what GitHub intends in practice.

[d0lph]

The automation wouldn't be doing anything unsolicited either, since it's only doing things that have been defined in the UI.

Perhaps they didn't mean automation per se, but CI is certainly automation, automatic merging, as in not manually merged by a human.

Perhaps a better rule would have been, no automation on repos not controlled by yourself.

[movermeyer]

The actual rule is no "excessive automated bulk activity".

https://help.github.com/articles/github-terms-of-service/

[d0lph]

That being the case, seems like OP's bot probably should have been allowed, especially since it seemed like they were only automating their repos.

[michaelmior]

If it's defined in the UI, it doesn't make it unsolicited. I can go to any repository for someone I've never heard of and make a PR as a human. That is still unsolicited. I think the concern is the combination of unsolicited and automated.

[PeterisP]

IMHO there's a world of difference between automation that touches your projects and automation that touches projects of many other users, and that seems to be a key part of their criteria.

[themarkn]

I just got one of those warnings yesterday and found it very useful. Shame you were not permitted to continue the work you had planned to do on that! It was a worthwhile idea.

[joering2]

Github, site for programmers of all kind, does not allow automate bots. Oh irony!

Ps. Another reason why we mostly host on BitBucket ;)

[icebraining]

Github does allow bots (they are even marked as [bot]), but the user must opt-in to them before they can do PRs or other interactions with repositories.

[jwilk]

Do you have an example of this marking? I've seen many bots on GitHub, but I don't recall that any of them was marked specially.

[icebraining]

It's relatively recent, I think. An example of a PR: https://github.com/andreparames/odoo/pull/5

[guessmyname]

Notice that Apps and Bots are two different things.

Checking that pull-request and comparing the URL of the user with the blue avatar, you notice that the username marked as "bot" is actually an App [1] but the user [2] — linked at the bottom of the right sidebar — is a regular GitHub account (with no "bot" marking). I am not sure how are they different at a technical level, maybe the App is a web-hook and the User is the one interacting with the API. In any case, they are two different things.

[1] https://github.com/apps/dependabot

[2] https://github.com/dependabot-bot

[always_good]

Not very ironic since the last thing you want is a bunch of amateur unsolicited bots bothering everyone and making the same mistakes OP made.

[htormey]

I assume the whole point of the rule was to stop people spamming people right? It sucks because you were trying to do the right thing but I can maybe see where they were coming from.