Identify GCI users in repository information

[andrewda]

This begins to identify users in several meta repository stats,
including stargazers, watchers and forks.

Closes #100

---

A few notes:

• (fixed in ed4f74e) The number of users might not be higher in the build until the cache expires. This is a separate issue: we should bypass caching stuff if there is no github_account property on the user and jump straight to the checking stuff.
• We don't check the time of the watch/star events in order to see if it happened during GCI (as @jayvdb wanted in Find users in repository information #100 (comment)) because that information isn't returned to us through the API.
• As far as I can tell, we are unable to access the name of the fork owner (GraphQL type: RepositoryOwner) without making another request (to get the User from the RepositoryOwner). That would involve several hundred more requests and probably being rate limited by GitHub, unless someone can figure out a way to do it all in one query – I wasn't able to after a few hours of trial and error.
• This vastly reduces the overall number of API calls we have to make. Instead of calling findGitHubUserInOrg for every user, we only have to search pre-fetched information for a large number of users.
• This sets the base for Use GraphQL API #111, meaning it'll be a low difficulty issue for anyone with GraphQL experience, and a medium difficulty issue for anyone without experience.
• There are a lot of package-lock.json changes that get fixed in Create RSS feed of data changes #95 – this definitely should not have 900+ deletions.

[jayvdb]

store in a repo_info.graphql ?
the variables are part of the language.

[jayvdb]

so I could create account https://github.com/WinningIt , fork a Ubuntu repo, and my fake account gets linked?

[andrewda]

I suppose you could if you wanted to be malicious, but with the current implementation you could create that same fake account and make a BS issue on any Ubuntu repository and the account would be linked. Or even just do a PR review.

[jayvdb]

An issue is a very noticable action. It is a new thing, and the malicious person is the creator.
A review is not quite as noticeable, but it would need to be done on an obscure open PR in order to not be noticed.
Either would likely be seen as intentional confusion, maybe suitable for GitHub to investigate as 'abuse'.

stars/watches/forks are almost invisible. And it is very hard to file 'abuse' with GitHub for doing those actions.

Your issue is a specific attempt to do #8 .

The biggest problem is that so far this algorithm has a lower confidence level than the previous algorithms, but it is being used first. This could be used to override the existing algorithms, which are more reliable.

Once you have a potential match, which wasnt found using the existing more reliable algorithms, you need to look at the match profiles to determine how you can increase the confidence level of your match. The more effort you require of the abuser, the more likely their abuse can only be viewed as intentional or at least highly suspicious.

Probably also a good idea to annotate each match with the matching method used.

API hits isn't relevant now, as the hits can grow over time. You can include probable matches in the yaml which are not included in the rendered page, as they are needing more analysis deferred until a subsequent build has extra API calls to use.

[andrewda]

How about running the same checks we do on the user found this way as we do for users found by removing spaces in the display name? i.e. we make sure the user has at least a commit, issue, PR or review on a repository of the org

That way we can have the same confidence in this prediction as we do for all the others

[andrewda]

The problem with ^ is that it cuts the number of matches in half and gets rid of some valid matches, but it does result in a much more accurate result.

[jayvdb]

Is the total number of matches increased?
If so, loosing some valid matches is ok.

[andrewda]

I believe it only increases by 1 if we verify using our current method, but will increase by 3 if we allow contributions to any of the GCI orgs to count (not just the one they are a leader for).

[jayvdb]

1 is enough to meet the requirements of the task

[jayvdb]

so I could create account https://github.com/WinningIt , fork a Ubuntu repo, and my fake account gets linked?

[jayvdb]

Add a commit to forcibly clear the cache of unlinked usernames so we can see it working. We'll no doubt need to redo this occasionally.

[blazeu]

We'll be doing this very often, might as well just create a function to load .graphql

Probably put that in utils.js file or there might be an existing npm packages to do it.

[andrewda]

Sounds good. It'll be like 3 lines of code to do it ourselves so may as well keep it light weight.

[wisn]

GCI Leaders now using Babel, isn't it? Use import instead?

[andrewda]

Only frontend code (/static) uses Babel at the moment, so this isn't yet possible.

[wisn]

Better to use

export const REPO_INFO_QUERY = // ...

or

export {
  REPO_INFO_QUERY: // ...
}

I think

[andrewda]

👍 I'll make a PR after this to setup Babel for the backend and start using ES2017 syntax.

[wisn]

Alright.

[wisn]

Group that let and const. See https://github.com/airbnb/javascript#variables--const-let-group.

[wisn]

Better to use === instead of ==. See https://github.com/airbnb/javascript#comparison--eqeqeq.

[wisn]

See https://github.com/airbnb/javascript#control-statements.

[andrewda]

I agree with Airbnb, but this is a styling thing in our ESLint config that we should probably change in another PR.

[wisn]

Use import instead?

[wisn]

Use export const loadQuery instead.

[jayvdb]

If I understand correctly, this will keep busting the cache until someone sets this to false.

Each cache bust should be a once-off operation which automatically reverts to non-cache busting on the next build.
There are ways to use of elements of the merge that can be used to detect whether the bust was complete.
Or store the cache bust timestamp in the deploy, and dont let it occur again within a short period of time.

[andrewda]

Would using Travis to check the commit name for a specific keyword work?

[andrewda]

Actually netlify doesn't expose the commit message, so we're going to have to check with git log -1 --pretty=%B. Another alternative is an env variable so that the cache busting can't be abused by someone other than an admin?

[jayvdb]

repo_info.graphql should be renamed to include github as that is what it is. GitLab doesnt support it yet I believe, due to patent issues , but it could, or other uses of GraphQL could arise, and it doesnt hurt to be explicit in the filename.

[jayvdb]

@gitmate-bot fastforward

[gitmate-bot]

Hey! I'm GitMate.io! This pull request is being fastforwarded automatically. Please DO NOT push while fastforward is in progress or your changes would be lost permanently ⚠️

[gitmate-bot]

Automated fastforward failed! Please fastforward your pull request manually via the command line.

Reason:

Command: git push upstream HEAD:master

Exit Code: 1

Cause:

remote: error: GH006: Protected branch update failed for refs/heads/master.        
remote: error: 1 review requesting changes by reviewers with write access.        
To <hidden_oauth_token>
 ! [remote rejected] HEAD -> master (protected branch hook declined)
error: failed to push some refs to '<hidden_oauth_token>'

[jayvdb]

ack 6a17aac 97acdb8 b339627

[jayvdb]

@gitmate-bot fastforward

[gitmate-bot]

Hey! I'm GitMate.io! This pull request is being fastforwarded automatically. Please DO NOT push while fastforward is in progress or your changes would be lost permanently ⚠️

[gitmate-bot]

Automated fastforward with GitMate.io was successful! 🎉