[PROPOSAL] Automate merging of branch version bump PRs #5501
Description
What/Why
What are you proposing?
We should enable repo/admin-level automation to merging branch version bump PRs because maintainers aren't doing it.
What users have asked for this feature?
I requested it in the 2.14.0 retrospective.
I have repeatedly nagged other plugin maintainers to merge upstream dependencies so I can close mine.
I have received pushback from other plugin maintainers for the above nagging, blocking my efforts to actually close open PRs on repos that I maintain.
Other mentions of automation or enforcement of version bumping:
- Automation version increments make PRs that don't pass CI #2706
- Enforce post-release activities #2949
What problems are you trying to solve?
This, on a repo I maintain (source).
And this on an upstream dependency, blocking me from merging mine (source).
And this on another upstream dependency, blocking me from merging mine (source).
Organization-wide, opensearch-project has 204 unmerged version bump PRs.
These are literally mouse clicks away from being closed, but it takes upstream repos to lead the way.
What is the developer experience going to be?
For maintainers like me, the ability to merge PRs on their repo because upstream repositories have appropriate versioning.
For maintainers who don't care about these PRs, they won't have to lift a finger. How awesome is that?
More seriously, minor version bump PRs are assumed to have been cut as part of automation (Autosync) and multiple developers spent multiple hours dealing with the aftermath of a branch cut prior to a version bump in the 2.14 release. That's at least an hour of my time wasted, multiplied by at least 4 other developers.
Are there any security considerations?
Patch version bumps are one of the biggest culprits here, because patch releases rarely happen.
However, when they do, it's usually for a very important issue that can't wait until the next release cycle. In this case, having plugins wait for multiple upstream dependencies to merge their patch version bumps could slow our ability to react to these.
Are there any breaking changes to the API
Nope.
What is the user experience going to be?
Seeing plugin repositories that are well-maintained without a huge backlog of ignored PRs that discourage them from contributing.
Are there breaking changes to the User Experience?
Nope.
Why should it be built? Any reason not to?
It should be built because automation already exists to create the PRs; they can be auto-merged by a bot with appropriate powers to do so, when all dependencies are met.
It should be built to save the time and effort of maintainers to do the same. In particular, GitHub action retries expire after 30 days, requiring a minute or so of effort to re-try a version bump PR after a month of upstream repos ignoring it... or similar effort to search and identify whether it's able to be merged. It's a distraction and complete waste of developer time.
What will it take to execute?
Whatever automation creates the PRs can be given the power to merge them if CI checks are gren.
Any remaining open questions?
Why don't we just require maintainers to do this? Actually, we do, in Release Checklists, which specify merging these version bumps as part of the checklist. There are 453 open Release Checklist issues and while 3.0.0 and 2.17.0 are a couple hundred of those, there are far more than that.
Acceptance Criteria
- Auto increment version PRs should be merged as soon as they have a passing CI and maintainer approval.
- If upstream (core) as well as depend plugins such as common-utils, job-scheduler have their PRs merged, re-run all other plugins' CI daily.
- Remove any duplicate version increment workflows from repos to avoid confusion and false negatives.