How to verify pull requests are coming from us
In the past, we saw an attack performed against Greenkeeper and its users in which pull requests were sent by an from a fake account. It was called “greenkeeperlo-bot”, rather than “greenkeeperio-bot”, and so the whole experience closely resembled the Greenkeeper look and feel. We added a verification feature to our service which adds a status check to each Greenkeeper pull request. With this, there are now three indicators that the pull request is genuine:
-
The pull request author is
greenkeeper [bot]
, from the Greenkeeper GitHub app -
The pull request origin is a different branch of the same repo, not an external repo
-
The pull request has a status check from
greenkeeper/verify
Any questions or feedback?
If there is anything unclear about this, or if you have other ideas for signals we could be sending please send us an email or get in touch via Twitter.
Happy developing!