feat(github): respect new prAllowMaintainerEdits option when `forkT…

…oken` is set This commit ensures the GitHub platform logic respects the new `prallowMaintainerEdits` option when `forkToken` is set and Renovate operates in a fork. Whenever a PR is created with `forkToken` being set, depending on the option value, the GitHub API post request will have the respective option `maintainer_can_modify` option set. This option was always enabled in fork mode before this commit, and without fork mode enabled, the option is a noop because maintainers have access to upstream branches regardless. Users may want to leverage the option and disable it to avoid issues with modifications in Renovate fork accounts, as described in: renovatebot#19771 Fixes renovatebot#19771.
devversion · Feb 3, 2023 · 1e6a4ae · 1e6a4ae
1 parent c55b17c
commit 1e6a4ae
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 3 deletions.
diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts
@@ -275,7 +275,7 @@ describe('modules/platform/github/index', () => {
     repository: string,
     forkExisted: boolean,
     forkResult = 200,
-    forkDefaulBranch = 'master'
+    forkDefaultBranch = 'master'
   ): void {
     scope
       // repo info
@@ -308,7 +308,7 @@ describe('modules/platform/github/index', () => {
               {
                 full_name: 'forked/repo',
                 owner: { login: 'forked' },
-                default_branch: forkDefaulBranch,
+                default_branch: forkDefaultBranch,
               },
             ]
           : []
@@ -2181,6 +2181,92 @@ describe('modules/platform/github/index', () => {
       expect(pr).toMatchObject({ number: 123 });
     });
 
+    describe('with forkToken', () => {
+      let scope: httpMock.Scope;
+
+      beforeEach(async () => {
+        scope = httpMock.scope(githubApiHost);
+        forkInitRepoMock(scope, 'some/repo', false);
+        scope.get('/user').reply(200, {
+          login: 'forked',
+        });
+        scope.post('/repos/some/repo/forks').reply(200, {
+          full_name: 'forked/repo',
+          default_branch: 'master',
+        });
+
+        await github.initRepo({
+          repository: 'some/repo',
+          forkToken: 'true',
+        });
+      });
+
+      it('should allow maintainer edits if enabled via options', async () => {
+        scope
+          .post(
+            '/repos/some/repo/pulls',
+            // Ensure the `maintainer_can_modify` option is set in the REST API request.
+            (body) => body.maintainer_can_modify === true
+          )
+          .reply(200, {
+            number: 123,
+            head: { repo: { full_name: 'some/repo' }, ref: 'some-branch' },
+          });
+        const pr = await github.createPr({
+          sourceBranch: 'some-branch',
+          targetBranch: 'main',
+          prTitle: 'PR title',
+          prBody: 'PR can be edited by maintainers.',
+          labels: null,
+          allowMaintainerEdits: true,
+        });
+        expect(pr).toMatchObject({ number: 123 });
+      });
+
+      it('should not allow maintainer edits if not explicitly set', async () => {
+        scope
+          .post(
+            '/repos/some/repo/pulls',
+            // Ensure the `maintainer_can_modify` option is `false` in the REST API request.
+            (body) => body.maintainer_can_modify === false
+          )
+          .reply(200, {
+            number: 123,
+            head: { repo: { full_name: 'some/repo' }, ref: 'some-branch' },
+          });
+        const pr = await github.createPr({
+          sourceBranch: 'some-branch',
+          targetBranch: 'main',
+          prTitle: 'PR title',
+          prBody: 'PR *cannot* be edited by maintainers.',
+          labels: null,
+        });
+        expect(pr).toMatchObject({ number: 123 });
+      });
+
+      it('should not allow maintainer edits if explicitly disabled', async () => {
+        scope
+          .post(
+            '/repos/some/repo/pulls',
+            // Ensure the `maintainer_can_modify` option is `false` in the REST API request.
+            (body) => body.maintainer_can_modify === false
+          )
+          .reply(200, {
+            number: 123,
+            head: { repo: { full_name: 'some/repo' }, ref: 'some-branch' },
+          });
+        const pr = await github.createPr({
+          sourceBranch: 'some-branch',
+          targetBranch: 'main',
+          prTitle: 'PR title',
+          prBody: 'PR *cannot* be edited by maintainers.',
+          labels: null,
+          allowMaintainerEdits: false,
+        });
+        expect(pr).toMatchObject({ number: 123 });
+      });
+    });
+
     describe('automerge', () => {
       const createdPrResp = {
         number: 123,

diff --git a/lib/modules/platform/github/index.ts b/lib/modules/platform/github/index.ts
@@ -1479,6 +1479,7 @@ export async function createPr({
   prBody: rawBody,
   labels,
   draftPR = false,
+  allowMaintainerEdits,
   platformOptions,
 }: CreatePRConfig): Promise<GhPr | null> {
   const body = sanitize(rawBody);
@@ -1499,7 +1500,7 @@ export async function createPr({
   // istanbul ignore if
   if (config.forkToken) {
     options.token = config.forkToken;
-    options.body.maintainer_can_modify = true;
+    options.body.maintainer_can_modify = !!allowMaintainerEdits;
   }
   logger.debug({ title, head, base, draft: draftPR }, 'Creating PR');
   const ghPr = (