Does the current implementation use the SHA-1 head to check whether a merge of a Pull Request is good? https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button Describes that you can add a SHA-1 to the merge API call, which causes GitHub to check whether the SHA-1 and the current head of that Pull Request match.
This would be useful for security reasons in our application. We're building a review-tool-bot that merges Pull Requests for us after we signal (via a comment) that the Pull Request is OK to merge. Now, a malicious person could theoretically introduce a new commit to their Pull Request branch, while the Request to merge is still on the way (either from the GitHub comment webhook to the bot, or from the bot to the GitHub API). If the SHA-1 doesn't match, the merge should be denied by GitHub.
Does the current implementation use the SHA-1 head to check whether a merge of a Pull Request is good? https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button Describes that you can add a SHA-1 to the merge API call, which causes GitHub to check whether the SHA-1 and the current head of that Pull Request match.
This would be useful for security reasons in our application. We're building a review-tool-bot that merges Pull Requests for us after we signal (via a comment) that the Pull Request is OK to merge. Now, a malicious person could theoretically introduce a new commit to their Pull Request branch, while the Request to merge is still on the way (either from the GitHub comment webhook to the bot, or from the bot to the GitHub API). If the SHA-1 doesn't match, the merge should be denied by GitHub.