Skip to content

Commit

Permalink
feat: add option to skip internal verifications (#336)
Browse files Browse the repository at this point in the history
Add a `skip-verification` (boolean) option:
 
 - If `true`, the action will not validate the user or the commit verification status
 - Defaults to `false`

Allows for scenarios where users want to add or amend commits on the Dependabot PR, and those commits will not come from the :dependabot: user.

There's a fair bit of discussion on this use case and also why this isn't the default behavior, see:
* #336
* #332
  • Loading branch information
yeikel authored Apr 17, 2023
1 parent 684ca1c commit 6c2bf2f
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 18 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ Supported inputs are:
- `skip-commit-verification` (boolean)
- If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server**
- Defaults to `false`
- `skip-verification` (boolean)
- If `true`, the action will not validate the user or the commit verification status
- Defaults to `false`

Subsequent actions will have access to the following outputs:

Expand Down
6 changes: 5 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,11 @@ inputs:
default: ${{ github.token }}
skip-commit-verification:
type: boolean
description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as `true` in GHES environments.'
description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as `true` in GHES environments'
default: false
skip-verification:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false
outputs:
dependency-names:
Expand Down
20 changes: 12 additions & 8 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions src/dependabot/verified_commits.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,25 @@ test('it returns the message if the commit is has no verification payload but ve
expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
})

test('it returns the message when skip-verification is enabled', async () => {
jest.spyOn(core, 'getInput').mockReturnValue('true')

nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
.reply(200, [
{
author: {
login: 'myUser'
},
commit: {
message: 'Bump lodash from 1.0.0 to 2.0.0',
verification: false
}
}
])

expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), false, true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
})

test('it returns false if the commit is not verified', async () => {
nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
.reply(200, [
Expand Down
18 changes: 10 additions & 8 deletions src/dependabot/verified_commits.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,12 @@ import https from 'https'

const DEPENDABOT_LOGIN = 'dependabot[bot]'

export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false): Promise<string | false> {
core.debug('Verifying the job is for an authentic Dependabot Pull Request')
export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false, skipVerification = false): Promise<string | false> {
if (skipVerification) {
core.debug('Skipping pull request verification')
} else {
core.debug('Verifying the job is for an authentic Dependabot Pull Request')
}

const { pull_request: pr } = context.payload

Expand All @@ -19,14 +23,12 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
return false
}

// Don't bother hitting the API if the PR author isn't Dependabot
if (pr.user.login !== DEPENDABOT_LOGIN) {
// Don't bother hitting the API if the PR author isn't Dependabot unless verification is disabled
if (!skipVerification && pr.user.login !== DEPENDABOT_LOGIN) {
core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
return false
}

core.debug('Verifying the Pull Request contents are from Dependabot')

const { data: commits } = await client.rest.pulls.listCommits({
owner: context.repo.owner,
repo: context.repo.repo,
Expand All @@ -35,15 +37,15 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:

const { commit, author } = commits[0]

if (author?.login !== DEPENDABOT_LOGIN) {
if (!skipVerification && author?.login !== DEPENDABOT_LOGIN) {
// TODO: Promote to setFailed
core.warning(
'It looks like this PR was not created by Dependabot, refusing to proceed.'
)
return false
}

if (!skipCommitVerification && !commit.verification?.verified) {
if (!skipVerification && !skipCommitVerification && !commit.verification?.verified) {
// TODO: Promote to setFailed
core.warning(
"Dependabot's commit signature is not verified, refusing to proceed."
Expand Down
2 changes: 1 addition & 1 deletion src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ export async function run (): Promise<void> {
const githubClient = github.getOctokit(token)

// Validate the job
const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'))
const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'), core.getBooleanInput('skip-verification'))
const branchNames = util.getBranchNames(github.context)
let alertLookup: updateMetadata.alertLookup | undefined
if (core.getInput('alert-lookup')) {
Expand Down

0 comments on commit 6c2bf2f

Please sign in to comment.