From 459171f4b3ff566ab6e1c27371934f4965a68159 Mon Sep 17 00:00:00 2001
From: Jhonantans Moraes Rocha <jhmrocha@gmail.com>
Date: Fri, 4 Aug 2023 13:12:46 -0300
Subject: [PATCH] fix(priority): invert semver matching to avoid unfound semver
 (#462)

* fix(priority): invert semver matching to avoid unfound semver

* fix(semver-invalid): handle invalid version update
---
 dist/index.js       | 12 +++++++-
 src/action.js       |  9 ++++++
 src/util.js         |  1 +
 test/action.test.js | 70 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 1 deletion(-)

diff --git a/dist/index.js b/dist/index.js
index 1b6284a7..abbe1638 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -2855,6 +2855,15 @@ module.exports = async function run({
       }
     }
 
+    if (
+      TARGET !== updateTypes.any &&
+      updateTypesPriority.indexOf(updateType) < 0
+    ) {
+      core.setOutput(MERGE_STATUS_KEY, MERGE_STATUS.skippedInvalidVersion)
+      logWarning(`Semver bump '${updateType}' is invalid!`)
+      return
+    }
+
     if (
       TARGET !== updateTypes.any &&
       updateTypesPriority.indexOf(updateType) >
@@ -3165,6 +3174,7 @@ exports.MERGE_STATUS = {
   skippedCannotUpdateMajor: 'skipped:cannot_update_major',
   skippedBumpHigherThanTarget: 'skipped:bump_higher_than_target',
   skippedPackageExcluded: 'skipped:packaged_excluded',
+  skippedInvalidVersion: 'skipped:invalid_semver',
 }
 
 exports.MERGE_STATUS_KEY = 'merge_status'
@@ -3314,7 +3324,7 @@ module.exports = require("util");
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"github-action-merge-dependabot","version":"3.9.0","description":"A GitHub action to automatically merge and approve Dependabot pull requests","main":"src/index.js","scripts":{"build":"ncc build src/index.js","lint":"eslint .","test":"tap test/**.test.js","prepare":"husky install"},"author":{"name":"Salman Mitha","email":"SalmanMitha@gmail.com"},"contributors":["Simone Busoli <simone.busoli@nearform.com>"],"license":"MIT","repository":{"type":"git","url":"git+https://github.com/fastify/github-action-merge-dependabot.git"},"bugs":{"url":"https://github.com/fastify/github-action-merge-dependabot/issues"},"homepage":"https://github.com/fastify/github-action-merge-dependabot#readme","dependencies":{"@actions/core":"^1.9.1","@actions/github":"^5.1.1","actions-toolkit":"github:nearform/actions-toolkit","gitdiff-parser":"^0.3.1","semver":"^7.5.2"},"devDependencies":{"@vercel/ncc":"^0.36.1","eslint":"^8.43.0","eslint-config-prettier":"^8.8.0","eslint-plugin-prettier":"^4.2.1","husky":"^8.0.3","prettier":"^2.8.8","proxyquire":"^2.1.3","sinon":"^15.1.2","tap":"^16.3.6"}}');
+module.exports = JSON.parse('{"name":"github-action-merge-dependabot","version":"3.9.0","description":"A GitHub action to automatically merge and approve Dependabot pull requests","main":"src/index.js","scripts":{"build":"ncc build src/index.js","lint":"eslint .","test":"tap test/**.test.js","prepare":"husky install"},"author":{"name":"Salman Mitha","email":"SalmanMitha@gmail.com"},"contributors":["Simone Busoli <simone.busoli@nearform.com>"],"license":"MIT","repository":{"type":"git","url":"git+https://github.com/fastify/github-action-merge-dependabot.git"},"bugs":{"url":"https://github.com/fastify/github-action-merge-dependabot/issues"},"homepage":"https://github.com/fastify/github-action-merge-dependabot#readme","dependencies":{"@actions/core":"^1.9.1","@actions/github":"^5.1.1","actions-toolkit":"github:nearform/actions-toolkit","gitdiff-parser":"^0.3.1","semver":"^7.5.4"},"devDependencies":{"@vercel/ncc":"^0.36.1","eslint":"^8.46.0","eslint-config-prettier":"^8.9.0","eslint-plugin-prettier":"^4.2.1","husky":"^8.0.3","prettier":"^2.8.8","proxyquire":"^2.1.3","sinon":"^15.2.0","tap":"^16.3.8"}}');
 
 /***/ })
 
diff --git a/src/action.js b/src/action.js
index bd8c82dd..d3b581ee 100644
--- a/src/action.js
+++ b/src/action.js
@@ -84,6 +84,15 @@ module.exports = async function run({
       }
     }
 
+    if (
+      TARGET !== updateTypes.any &&
+      updateTypesPriority.indexOf(updateType) < 0
+    ) {
+      core.setOutput(MERGE_STATUS_KEY, MERGE_STATUS.skippedInvalidVersion)
+      logWarning(`Semver bump '${updateType}' is invalid!`)
+      return
+    }
+
     if (
       TARGET !== updateTypes.any &&
       updateTypesPriority.indexOf(updateType) >
diff --git a/src/util.js b/src/util.js
index 7efe5d81..9d9674bf 100644
--- a/src/util.js
+++ b/src/util.js
@@ -60,6 +60,7 @@ exports.MERGE_STATUS = {
   skippedCannotUpdateMajor: 'skipped:cannot_update_major',
   skippedBumpHigherThanTarget: 'skipped:bump_higher_than_target',
   skippedPackageExcluded: 'skipped:packaged_excluded',
+  skippedInvalidVersion: 'skipped:invalid_semver',
 }
 
 exports.MERGE_STATUS_KEY = 'merge_status'
diff --git a/test/action.test.js b/test/action.test.js
index 9cec03bb..4eb017c8 100644
--- a/test/action.test.js
+++ b/test/action.test.js
@@ -704,3 +704,73 @@ Tried to do a '${updateTypes.minor}' update but the max allowed is '${updateType
     MERGE_STATUS.skippedBumpHigherThanTarget
   )
 })
+
+tap.test('should forbid when update type is missing', async () => {
+  const PR_NUMBER = Math.random()
+
+  const { action, stubs } = buildStubbedAction({
+    payload: {
+      pull_request: {
+        number: PR_NUMBER,
+        user: { login: BOT_NAME },
+      },
+    },
+    inputs: {
+      PR_NUMBER,
+      target: 'minor',
+      exclude: 'react',
+    },
+    dependabotMetadata: createDependabotMetadata({
+      updateType: null,
+    }),
+  })
+
+  await action()
+
+  sinon.assert.calledWithExactly(
+    stubs.logStub.logWarning,
+    `Semver bump 'null' is invalid!`
+  )
+  sinon.assert.notCalled(stubs.approveStub)
+  sinon.assert.notCalled(stubs.mergeStub)
+  sinon.assert.calledWith(
+    stubs.coreStub.setOutput,
+    MERGE_STATUS_KEY,
+    MERGE_STATUS.skippedInvalidVersion
+  )
+})
+
+tap.test('should forbid when update type is not valid', async () => {
+  const PR_NUMBER = Math.random()
+
+  const { action, stubs } = buildStubbedAction({
+    payload: {
+      pull_request: {
+        number: PR_NUMBER,
+        user: { login: BOT_NAME },
+      },
+    },
+    inputs: {
+      PR_NUMBER,
+      target: 'minor',
+      exclude: 'react',
+    },
+    dependabotMetadata: createDependabotMetadata({
+      updateType: 'semver:invalid',
+    }),
+  })
+
+  await action()
+
+  sinon.assert.calledWithExactly(
+    stubs.logStub.logWarning,
+    `Semver bump 'semver:invalid' is invalid!`
+  )
+  sinon.assert.notCalled(stubs.approveStub)
+  sinon.assert.notCalled(stubs.mergeStub)
+  sinon.assert.calledWith(
+    stubs.coreStub.setOutput,
+    MERGE_STATUS_KEY,
+    MERGE_STATUS.skippedInvalidVersion
+  )
+})