Can the ability to issue Dependabot commands be delegated?

[EliahKagan]

From #1882 (comment):

[..] But I cannot myself close #1878.

Now that this repository is in an organization, permissions are much more fine-grained. If you have suggestions on how to make your life easier, I'd be happy to make adjustments.

For Dependabot PRs specifically, I'm not sure if there's anything that can reasonably be done. Dependabot follows commands issued in comments by users with write access.

(Anyone who can comment can write a comment that looks like it contains a Dependabot command, and this does notify Dependabot. But Dependabot entirely ignores such comments unless the user has write access to the repository. So, for example, I was of course able to post #1878 (comment), but Dependabot did not acknowledge the command.)

Maybe rulesets and CODEOWNERS with branch protection rules can be used with the effect of conferring this ability in a fine-grained way. But I am not sure.

• If write access is given to allow me to issue Dependabot commands, while also being effectively "taken away" by making it so that I cannot push anything that makes changes at any path on any branch, then that might work, so long as Dependabot would itself still be able to carry out commands like @dependabot merge.
• If write access is also given to allow me to also push to the feature branches of Dependabot pull requests (dependabot/** branches), but Dependabot is not restricted in what it can modify, then this is similar to the ability to create and merge an arbitrary pull request to the main branch. Although pushing to Dependabot branches is useful for manually fixing things up, most of the time it is not needed.

[Byron]

I'd be happy to just provide blanket write access to keep it simple. main is protected and bypasses are only allowed for admins, so I don't think there would be a way to have anything 'snuck' in, in case of compromise for example. So any kind of exploit would be temporary at best, I'd sleep well.
Given your stance on security, I think I am the liability here 😅.

[Byron]

Sorry for the hassle, it turned out I created a team but didn't add you to it.

This has now been fixed and you should have write permissions on the gitoxide repository.
I hope that works.

[EliahKagan]

Thanks--it looks like everything is working now. (I haven't used any new capabilities, as yet. But the UI shows me indications of them, such as the ability to rerun CI including on main, to change the draft status of arbitrary PRs, etc. And I can see the team and that I am a member of it.)

[EliahKagan]

As expected, I am able to issue Dependabot commands: #1889 (comment)

[EliahKagan]

I hope it's okay that I've merged the small dependency/tooling related PRs #1892 and #1893 without reviews. I think such is within the realm of what the new capabilities are intended to facilities, but I would (as always!) be pleased to receive feedback in this area.

[Byron]

I appreciate your help in that regard and trust your judgement. As I still see all the changes, I am comfortable that you keep doing what you think is best. You definitely are the expert here and I am barely catching up with the wealth of detail that is typically provided here (so my opinion is of limited value, if I have one even).