Skip to content

Commit

Permalink
feat: add option to skip-verification
Browse files Browse the repository at this point in the history 
When enabled, both author and commit verification are disabled

Closes #378
  • Loading branch information
@yeikel
yeikel committed Apr 24, 2023
1 parent 880c1f2 commit 2cc00ba
Show file tree
Hide file tree
Showing 8 changed files with 143 additions and 21 deletions.
23 changes: 12 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,18 @@ Error: Resource not accessible by integration

## Inputs

| input | required | default | description |
|----------------------------|----------|--------------------------|-----------------------------------------------------------------|
| `github-token` | No | `${{github.token}}` | A GitHub token. |
| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |
| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |
| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |
| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |
| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.<br /><br />_NOTE_: This feature only works when all of the following conditions are met.<br />- The repository enables auto-merge. <br />- The pull request base must have a branch protection rule. <br />- The pull request's status checks are not yet satisfied.<br /></br>Refer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |
| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.<br />Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.<br /><br />For more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.<br /><br />If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules.|
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| input | required | default | description |
|----------------------------|----------|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `github-token` | No | `${{github.token}}` | A GitHub token. |
| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |
| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |
| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |
| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |
| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.<br /><br />_NOTE_: This feature only works when all of the following conditions are met.<br />- The repository enables auto-merge. <br />- The pull request base must have a branch protection rule. <br />- The pull request's status checks are not yet satisfied.<br /></br>Refer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |
| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.<br />Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.<br /><br />For more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.<br /><br />If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules. |
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |

## Examples

Expand Down
9 changes: 7 additions & 2 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,19 +36,24 @@ inputs:
description: 'If true, then the action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server'
required: false
default: false
skip-verification:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false

runs:
using: 'composite'
steps:
- name: Fetch metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || skip-verification == 'true')
with:
skip-commit-verification: ${{ inputs.skip-commit-verification }}
skip-verification : ${{ inputs.skip-verification }}
- name: Merge/approve PR
uses: actions/github-script@v6
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || skip-verification == 'true')
with:
github-token: ${{ inputs.github-token }}
script: |
Expand Down
10 changes: 6 additions & 4 deletions dist/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2803,6 +2803,7 @@ module.exports = async function run({
TARGET,
PR_NUMBER,
SKIP_COMMIT_VERIFICATION,
SKIP_VERIFICATION,
} = getInputs(inputs)

try {
Expand All @@ -2820,16 +2821,16 @@ module.exports = async function run({
const pr = pull_request || (await client.getPullRequest(PR_NUMBER))

const isDependabotPR = pr.user.login === dependabotAuthor
if (!isDependabotPR) {
if (!isDependabotPR && !SKIP_VERIFICATION) {
return logWarning('Not a dependabot PR, skipping.')
}

const commits = await client.getPullRequestCommits(pr.number)
if (!commits.every(commit => commit.author?.login === dependabotAuthor)) {
if (!commits.every(commit => commit.author?.login === dependabotAuthor) && !SKIP_VERIFICATION) {
return logWarning('PR contains non dependabot commits, skipping.')
}

if (!SKIP_COMMIT_VERIFICATION) {
if (!SKIP_COMMIT_VERIFICATION && !SKIP_VERIFICATION) {
try {
verifyCommits(commits)
} catch {
Expand Down Expand Up @@ -3132,6 +3133,7 @@ exports.getInputs = inputs => {
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']),
SKIP_VERIFICATION: /true/i.test(inputs['skip-verification']),
}
}

Expand Down Expand Up @@ -3280,7 +3282,7 @@ module.exports = require("util");
/***/ ((module) => {

"use strict";
module.exports = JSON.parse('{"name":"github-action-merge-dependabot","version":"3.6.4","description":"A GitHub action to automatically merge and approve Dependabot pull requests","main":"src/index.js","scripts":{"build":"ncc build src/index.js","lint":"eslint .","test":"tap test/**.test.js","prepare":"husky install"},"author":{"name":"Salman Mitha","email":"[email protected]"},"contributors":["Simone Busoli <[email protected]>"],"license":"MIT","repository":{"type":"git","url":"git+https://github.com/fastify/github-action-merge-dependabot.git"},"bugs":{"url":"https://github.com/fastify/github-action-merge-dependabot/issues"},"homepage":"https://github.com/fastify/github-action-merge-dependabot#readme","dependencies":{"@actions/core":"^1.9.1","@actions/github":"^5.1.1","actions-toolkit":"github:nearform/actions-toolkit","gitdiff-parser":"^0.3.1","semver":"^7.4.0"},"devDependencies":{"@vercel/ncc":"^0.36.1","eslint":"^8.38.0","eslint-config-prettier":"^8.8.0","eslint-plugin-prettier":"^4.2.1","husky":"^8.0.3","prettier":"^2.8.7","proxyquire":"^2.1.3","sinon":"^15.0.3","tap":"^16.3.4"}}');
module.exports = JSON.parse('{"name":"github-action-merge-dependabot","version":"3.6.4","description":"A GitHub action to automatically merge and approve Dependabot pull requests","main":"src/index.js","scripts":{"build":"ncc build src/index.js","lint":"eslint .","test":"tap test/**.test.js","prepare":"husky install"},"author":{"name":"Salman Mitha","email":"[email protected]"},"contributors":["Simone Busoli <[email protected]>"],"license":"MIT","repository":{"type":"git","url":"git+https://github.com/fastify/github-action-merge-dependabot.git"},"bugs":{"url":"https://github.com/fastify/github-action-merge-dependabot/issues"},"homepage":"https://github.com/fastify/github-action-merge-dependabot#readme","dependencies":{"@actions/core":"^1.9.1","@actions/github":"^5.1.1","actions-toolkit":"github:nearform/actions-toolkit","gitdiff-parser":"^0.3.1","semver":"^7.5.0"},"devDependencies":{"@vercel/ncc":"^0.36.1","eslint":"^8.39.0","eslint-config-prettier":"^8.8.0","eslint-plugin-prettier":"^4.2.1","husky":"^8.0.3","prettier":"^2.8.8","proxyquire":"^2.1.3","sinon":"^15.0.4","tap":"^16.3.4"}}');

/***/ })

Expand Down
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 4 additions & 3 deletions src/action.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ module.exports = async function run({
TARGET,
PR_NUMBER,
SKIP_COMMIT_VERIFICATION,
SKIP_VERIFICATION,
} = getInputs(inputs)

try {
Expand All @@ -49,16 +50,16 @@ module.exports = async function run({
const pr = pull_request || (await client.getPullRequest(PR_NUMBER))

const isDependabotPR = pr.user.login === dependabotAuthor
if (!isDependabotPR) {
if (!isDependabotPR && !SKIP_VERIFICATION) {
return logWarning('Not a dependabot PR, skipping.')
}

const commits = await client.getPullRequestCommits(pr.number)
if (!commits.every(commit => commit.author?.login === dependabotAuthor)) {
if (!commits.every(commit => commit.author?.login === dependabotAuthor) && !SKIP_VERIFICATION) {
return logWarning('PR contains non dependabot commits, skipping.')
}

if (!SKIP_COMMIT_VERIFICATION) {
if (!SKIP_COMMIT_VERIFICATION && !SKIP_VERIFICATION) {
try {
verifyCommits(commits)
} catch {
Expand Down
1 change: 1 addition & 0 deletions src/util.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,6 @@ exports.getInputs = inputs => {
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']),
SKIP_VERIFICATION: /true/i.test(inputs['skip-verification']),
}
}
Loading

0 comments on commit 2cc00ba

Please sign in to comment.