Every day, major projects use Mergify to automate their GitHub workflow. Whether they have a core team of 3 or 50 people, the one thing they all have in common is that the project leads are willing to let their developers focus on what’s really important—code. So we decided to meet with some of them to get to know more about their challenges and discover how Mergify helps their teams be more efficient when it comes to pull requests. This time we talked to Yuanruo Liang, a software engineering manager working at Open Government Products, a department of the Government Technology Agency of Singapore, developing technology for the public good.
Could you explain what Open Government Products is?
For sure! We are actually an experimental unit composed of 60 software engineers, product managers, and product designers. Together we solve the most important pain points in the public sector by digitizing a lot of workflows and use cases for the government itself as well as its interactions with citizens. In recent years, we have put a lot of effort into building Covid systems, including an application for arranging vaccine appointments. It was especially important in Singapore, which is a densely populated country, to help keep the number of hospitalizations and need for intensive care down. Prior to Covid, we were launching really broad-based products, such as FormSG, a form builder that is like Google Forms for the Singapore Public Service.
It seems like there is a lot to do. Are you hiring currently?
Yes, so software engineers who are interested in working for a public-service organization are invited to apply—from Singapore and all over the world. Most of our people are Singaporeans but we also have American and French people and we recently hired an engineering manager from India. We make sure to automate the most painful work and aim to offer a good developer experience.
What does working as an engineer for a public service organization involve?
Unsurprisingly, when you consider our field, security is an important part of all our products.
We use end-to-end encryption to protect citizens’ data and we also have a lot of webhooks that automate downstream systems. We also introduced static analysis as part of our security testing. We started off with GitHub CodeQL and more recently have been using Snyk as well to help us inspect the structure of the code and make sure we haven’t made any silly mistakes, like leaving applications vulnerable to injections or things like that. In addition, we make sure we keep our dependencies up to date to ensure our products are safe and secure.
How do you manage dependencies’ updates?
We use the GitHub Dependabot system, which automatically raises pull requests [PRs] to update dependencies. But the challenge quickly became that because there were so many packages being updated on a daily basis, there was a lot of noise, with 70% to 90% of the PRs being automatically opened by the Dependabot system.
Is this why Mergify came into the picture?
That’s right! Mergify helped us to automate the approval and merge for most of the Dependabot PRs where we didn’t necessarily need a human reviewer. Mergify inspects the semantic version of the update, and if the update is a minor or a patch version change and it passes all of our automated tests, it is immediately merged.
Which Mergify feature do you use most?
Regular expression matching has definitely been a killer feature for us! It wasn’t initially clear to us how we could automate all the package updates if some of them could be breaking ones. But we figured it out from the examples in the documentation that you can actually use regular expression matching to check whether the major version number has increased and use it as a condition to either approve or decline the automatic merge. When it is declined, we forward the PR to a human engineer so they can look at what the major version update is and then figure out when we want to work on that.
What is your favorite Mergify feature?
The user interface to create and add rules is a great help. I think most engineers are OK with the YAML file but it is always nice to have a user interface for these things, to test whether your regular expressions work in the way you’re expecting. Our workflow originally required a bit of iterative testing!
And what is your workflow for feature PRs created by human engineers?
It’s different because in these cases Mergify doesn’t really have a part to play in the process. After the PR has been opened, the code quality is inspected through linting, which is followed by a build system and then several security checks. Then we run unit and integration tests, and finally, someone has to approve the PR. Once it’s approved, we typically let the author merge the PR. If the PR is only 90% good enough, we let the developer fix the small things that need to be fixed and then merge it without always having a second review. So I think using Mergify in cases like this would actually slow us down.
What are the main challenges with those workflows?
Because we tend to run pretty lean teams, time is our most valuable asset. So we really want to automate as much as we can, hence the use of Dependabot and Mergify. Moving forward, we would like to automate even more and raise the quality of some of the PRs. So we’re trying to experiment with additional systems to measure code accuracy against coding standards, functional deliverables, and design specifications.
What has been the biggest impact of using Mergify on your teams’ performance?
It has definitely removed a lot of chores, a lot of noise, for the teams. And even if they don’t work on the product each week, patches can still be released. It becomes fairly common in a release that 20% of the code was written by human beings and 80% was by Mergify or other tools.
What would be your #1 tip for someone who’s new to Mergify?
To read the documentation—the examples section especially!
It’s very inspiring and makes you aware of the number of options available for automating your workflow and the amount of work you can save yourself if you write rules that work for you.