Idea - Scapegoat as a bot?

[mccartney]

I continue to be impressed about the concept and execution of @scala-steward. It automates the boring stuff and serves remediations in an undoubtedly convenient way for the project maintainers.

How about we have an opt-in Scapegoat Bot patrolling opensource Scala projects?

The only problem I see is that while upgrading dependencies hardly ever spurs controversies (Scala Steward), some of our inspections might be seen as questionable (Scapegoat).

What we would need as well is some mechanism for fixes (scalafix?), not only for flagging suspicious code as we do now.

[sksamuel]

This is a great idea. You could have a file in the repo like .scapegoat which enables specific rules, and leaves _everything_ disabled by default.

…

On Sun, 15 Mar 2020 at 12:23, Greg Oledzki ***@***.***> wrote: I continue to be impressed about the concept and execution of @scala-steward <https://github.com/scala-steward>. It automates the boring stuff and serves remediations in an undoubtedly convenient way for the project maintainers. How about we have an opt-in Scapegoat Bot patrolling opensource Scala projects? The only problem I see is that while upgrading dependencies hardly ever spurs controversies (Scala Steward), some of our inspections might be seen as questionable (Scapegoat). What we would need as well is some mechanism for fixes (scalafix?), not only for flagging suspicious code as we do now. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#312>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFVSGTDXDUUPSDA4RJ4XQLRHUFHRANCNFSM4LLGI3PA> .

[mwz]

I've been recently planning to implement a Scalastyle Github App which posts code issues back as inline PR comments (similar to the PR decoration feature which I implemented in sonar-scala here, but as a standalone Github App without the need for SonarQube.)

Scalastyle is a bit simpler to do because it doesn't need to compile your code, so it executes fairly quickly and you can easily run it on e.g. lambda on AWS for a fairly low cost even at a large scale. Scapegoat is a compiler plugin so the compilation stage makes it a bit more resource heavy + you need to execute it via sbt for each project, which adds a bit of security risk of potential arbitrary code execution that you need to protect yourself against - but it's definitely a great idea and it's definitely doable. (Scapegoat Github App was going to be next on my list 😃)

[sksamuel]

If we were able to run scapegoat standalone, without the need for the scala compiler, then we could do this. Briefly looking over the ruleset, we don't need access to much that isn't syntactic, only, VarClosure and UnreachableCatch.