Bug: App is confused with regular user when approving Pull Requests


#1

GitHub’s backend is mixing up app names and regular user names in Pull Request reviews. If an app with name “foo” adds a pull request review, querying the API will show details about the user “foo” instead.


#2

Here is a bot to prove this bug: https://github.com/apps/defunkt
Here is a PR approved by @defunkt himself: https://github.com/rarkins/defunkt-approves/pull/1

image

Here’s the response from https://api.github.com/repos/rarkins/defunkt-approves/pulls/1/reviews:

[
  {
	"id": 82783847,
	"user": {
	  "login": "defunkt",
	  "id": 34475535,
	  "avatar_url": "https://avatars1.githubusercontent.com/u/6311784?v=4",
	  "gravatar_id": "",
	  "url": "https://api.github.com/users/defunkt",
	  "html_url": "https://github.com/apps/defunkt",
	  "followers_url": "https://api.github.com/users/defunkt/followers",
	  "following_url": "https://api.github.com/users/defunkt/following{/other_user}",
	  "gists_url": "https://api.github.com/users/defunkt/gists{/gist_id}",
	  "starred_url": "https://api.github.com/users/defunkt/starred{/owner}{/repo}",
	  "subscriptions_url": "https://api.github.com/users/defunkt/subscriptions",
	  "organizations_url": "https://api.github.com/users/defunkt/orgs",
	  "repos_url": "https://api.github.com/users/defunkt/repos",
	  "events_url": "https://api.github.com/users/defunkt/events{/privacy}",
	  "received_events_url": "https://api.github.com/users/defunkt/received_events",
	  "type": "Bot",
	  "site_admin": false
	},
	"body": "",
	"state": "APPROVED",
	"html_url": "https://github.com/rarkins/defunkt-approves/pull/1#pullrequestreview-82783847",
	"pull_request_url": "https://api.github.com/repos/rarkins/defunkt-approves/pulls/1",
	"author_association": "NONE",
	"_links": {
	  "html": {
		"href": "https://github.com/rarkins/defunkt-approves/pull/1#pullrequestreview-82783847"
	  },
	  "pull_request": {
		"href": "https://api.github.com/repos/rarkins/defunkt-approves/pulls/1"
	  }
	},
	"submitted_at": "2017-12-12T10:32:30Z",
	"commit_id": "5fe38783dcd07c34eb32d2bd3b3f31140fdf5230"
  }
]

As you can see, both the API and the Web UI are partially confused. The API explicitly says (incorrectly) that the user defunkt approved the PR instead of the app and the only hint in the API is "type": "Bot". In the Web UI, it shows the [bot] indication after username, but the user’s name after that.


#3

@rarkins thanks for the detailed report!