From 29dc6db06eafcbc87b2ecc3b760911cc60b43423 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Thu, 30 Jun 2022 14:27:21 +0100 Subject: [PATCH 1/4] getMessage can skip commit verification checks --- src/dependabot/verified_commits.test.ts | 17 +++++++++++++++++ src/dependabot/verified_commits.ts | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts index 2576b8a8..5c556213 100644 --- a/src/dependabot/verified_commits.test.ts +++ b/src/dependabot/verified_commits.test.ts @@ -70,6 +70,23 @@ test('it returns false if the commit is has no verification payload', async () = expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false) }) +test('it returns the message if the commit is has no verification payload but verification is skipped', async () => { + nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits') + .reply(200, [ + { + author: { + login: 'dependabot[bot]' + }, + commit: { + message: 'Bump lodash from 1.0.0 to 2.0.0', + verification: null + } + } + ]) + + expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0') +}) + test('it returns false if the commit is not verified', async () => { nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits') .reply(200, [ diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts index 4e9cb994..93ffb194 100644 --- a/src/dependabot/verified_commits.ts +++ b/src/dependabot/verified_commits.ts @@ -6,7 +6,7 @@ import https from 'https' const DEPENDABOT_LOGIN = 'dependabot[bot]' -export async function getMessage (client: InstanceType, context: Context): Promise { +export async function getMessage (client: InstanceType, context: Context, skipCommitVerification = false): Promise { core.debug('Verifying the job is for an authentic Dependabot Pull Request') const { pull_request: pr } = context.payload @@ -43,7 +43,7 @@ export async function getMessage (client: InstanceType, context: return false } - if (!commit.verification?.verified) { + if (!skipCommitVerification && !commit.verification?.verified) { // TODO: Promote to setFailed core.warning( "Dependabot's commit signature is not verified, refusing to proceed." From b1673a77b4f79f1285877eb4471c865aa2f9d767 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Thu, 30 Jun 2022 14:36:01 +0100 Subject: [PATCH 2/4] Add skip-commit-verification input --- action.yml | 4 ++++ src/main.test.ts | 1 + src/main.ts | 2 +- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index dbf07cb7..143b59e2 100644 --- a/action.yml +++ b/action.yml @@ -13,6 +13,10 @@ inputs: github-token: description: 'The GITHUB_TOKEN secret' default: ${{ github.token }} + skip-commit-verification: + type: boolean + description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as 'true' in GHES environments.' + default: false outputs: dependency-names: description: 'A comma-separated list of all package names updated.' diff --git a/src/main.test.ts b/src/main.test.ts index c863b229..94a67c77 100644 --- a/src/main.test.ts +++ b/src/main.test.ts @@ -10,6 +10,7 @@ beforeEach(() => { jest.spyOn(core, 'info').mockImplementation(jest.fn()) jest.spyOn(core, 'setFailed').mockImplementation(jest.fn()) jest.spyOn(core, 'startGroup').mockImplementation(jest.fn()) + jest.spyOn(core, 'getBooleanInput').mockReturnValue(false) }) test('it early exits with an error if github-token is not set', async () => { diff --git a/src/main.ts b/src/main.ts index 3a534546..232e3102 100644 --- a/src/main.ts +++ b/src/main.ts @@ -22,7 +22,7 @@ export async function run (): Promise { const githubClient = github.getOctokit(token) // Validate the job - const commitMessage = await verifiedCommits.getMessage(githubClient, github.context) + const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification')) const branchNames = util.getBranchNames(github.context) let alertLookup: updateMetadata.alertLookup | undefined if (core.getInput('alert-lookup')) { From d882a801637f12cecde9a4dda035f1a8041e6acc Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Thu, 30 Jun 2022 14:38:02 +0100 Subject: [PATCH 3/4] Update documentation --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index ea39cca7..f49e9baa 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ Supported inputs are: - `compat-lookup` (boolean) - If `true`, then populate the `compatibility-score` output. - Defaults to `false` +- `skip-commit-verification` (boolean) + - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server** + - Defaults to `false` Subsequent actions will have access to the following outputs: From 6c87543e47e96b3fb3bb924ccb5f263d3e87e5eb Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Thu, 30 Jun 2022 14:43:46 +0100 Subject: [PATCH 4/4] Bump dist/ --- dist/index.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dist/index.js b/dist/index.js index 3d4bf343..3f298e45 100644 --- a/dist/index.js +++ b/dist/index.js @@ -9065,7 +9065,7 @@ exports.getCompatibility = exports.trimSlashes = exports.getAlert = exports.getM const core = __importStar(__nccwpck_require__(2186)); const https_1 = __importDefault(__nccwpck_require__(5687)); const DEPENDABOT_LOGIN = 'dependabot[bot]'; -function getMessage(client, context) { +function getMessage(client, context, skipCommitVerification = false) { var _a; return __awaiter(this, void 0, void 0, function* () { core.debug('Verifying the job is for an authentic Dependabot Pull Request'); @@ -9092,7 +9092,7 @@ function getMessage(client, context) { core.warning('It looks like this PR was not created by Dependabot, refusing to proceed.'); return false; } - if (!((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) { + if (!skipCommitVerification && !((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) { // TODO: Promote to setFailed core.warning("Dependabot's commit signature is not verified, refusing to proceed."); return false; @@ -9216,7 +9216,7 @@ function run() { try { const githubClient = github.getOctokit(token); // Validate the job - const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context); + const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification')); const branchNames = util.getBranchNames(github.context); let alertLookup; if (core.getInput('alert-lookup')) {