Skip to content

Commit

Permalink
feat: add option to skip-verification (#411)
Browse files Browse the repository at this point in the history 
* feat: add option to skip-verification

When enabled, both author and commit verification are disabled

Closes #378

* Update src/action.js

Co-authored-by: KaKa <climba03003@gmail.com>

* Update src/action.js

Co-authored-by: KaKa <climba03003@gmail.com>

* regenerate dist

* fix linting

---------

Co-authored-by: KaKa <climba03003@gmail.com>
  • Loading branch information
@yeikel @climba03003
yeikel and climba03003 committed Apr 25, 2023
1 parent 28bd9f9 commit 9830c7f
Show file tree
Hide file tree
Showing 8 changed files with 149 additions and 20 deletions.
23 changes: 12 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,18 @@ Error: Resource not accessible by integration

## Inputs

| input | required | default | description |
|----------------------------|----------|--------------------------|-----------------------------------------------------------------|
| `github-token` | No | `${{github.token}}` | A GitHub token. |
| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |
| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |
| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |
| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |
| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.<br /><br />_NOTE_: This feature only works when all of the following conditions are met.<br />- The repository enables auto-merge. <br />- The pull request base must have a branch protection rule. <br />- The pull request's status checks are not yet satisfied.<br /></br>Refer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |
| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.<br />Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.<br /><br />For more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.<br /><br />If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules.|
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| input | required | default | description |
|----------------------------|----------|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `github-token` | No | `${{github.token}}` | A GitHub token. |
| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |
| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |
| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |
| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |
| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.<br /><br />_NOTE_: This feature only works when all of the following conditions are met.<br />- The repository enables auto-merge. <br />- The pull request base must have a branch protection rule. <br />- The pull request's status checks are not yet satisfied.<br /></br>Refer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |
| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.<br />Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.<br /><br />For more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.<br /><br />If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules. |
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |

## Examples

Expand Down
9 changes: 7 additions & 2 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,19 +36,24 @@ inputs:
description: 'If true, then the action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server'
required: false
default: false
skip-verification:
type: boolean
description: 'If true, the action will not validate the user or the commit verification status'
default: false

runs:
using: 'composite'
steps:
- name: Fetch metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || skip-verification == 'true')
with:
skip-commit-verification: ${{ inputs.skip-commit-verification }}
skip-verification : ${{ inputs.skip-verification }}
- name: Merge/approve PR
uses: actions/github-script@v6
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
if: github.event_name == 'pull_request' && (github.actor == 'dependabot[bot]' || skip-verification == 'true')
with:
github-token: ${{ inputs.github-token }}
script: |
Expand Down
11 changes: 8 additions & 3 deletions dist/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2803,6 +2803,7 @@ module.exports = async function run({
TARGET,
PR_NUMBER,
SKIP_COMMIT_VERIFICATION,
SKIP_VERIFICATION,
} = getInputs(inputs)

try {
Expand All @@ -2820,16 +2821,19 @@ module.exports = async function run({
const pr = pull_request || (await client.getPullRequest(PR_NUMBER))

const isDependabotPR = pr.user.login === dependabotAuthor
if (!isDependabotPR) {
if (!SKIP_VERIFICATION && !isDependabotPR) {
return logWarning('Not a dependabot PR, skipping.')
}

const commits = await client.getPullRequestCommits(pr.number)
if (!commits.every(commit => commit.author?.login === dependabotAuthor)) {
if (
!SKIP_VERIFICATION &&
!commits.every(commit => commit.author?.login === dependabotAuthor)
) {
return logWarning('PR contains non dependabot commits, skipping.')
}

if (!SKIP_COMMIT_VERIFICATION) {
if (!SKIP_COMMIT_VERIFICATION && !SKIP_VERIFICATION) {
try {
verifyCommits(commits)
} catch {
Expand Down Expand Up @@ -3132,6 +3136,7 @@ exports.getInputs = inputs => {
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']),
SKIP_VERIFICATION: /true/i.test(inputs['skip-verification']),
}
}

Expand Down
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 7 additions & 3 deletions src/action.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ module.exports = async function run({
TARGET,
PR_NUMBER,
SKIP_COMMIT_VERIFICATION,
SKIP_VERIFICATION,
} = getInputs(inputs)

try {
Expand All @@ -49,16 +50,19 @@ module.exports = async function run({
const pr = pull_request || (await client.getPullRequest(PR_NUMBER))

const isDependabotPR = pr.user.login === dependabotAuthor
if (!isDependabotPR) {
if (!SKIP_VERIFICATION && !isDependabotPR) {
return logWarning('Not a dependabot PR, skipping.')
}

const commits = await client.getPullRequestCommits(pr.number)
if (!commits.every(commit => commit.author?.login === dependabotAuthor)) {
if (
!SKIP_VERIFICATION &&
!commits.every(commit => commit.author?.login === dependabotAuthor)
) {
return logWarning('PR contains non dependabot commits, skipping.')
}

if (!SKIP_COMMIT_VERIFICATION) {
if (!SKIP_COMMIT_VERIFICATION && !SKIP_VERIFICATION) {
try {
verifyCommits(commits)
} catch {
Expand Down
1 change: 1 addition & 0 deletions src/util.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,6 @@ exports.getInputs = inputs => {
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']),
SKIP_VERIFICATION: /true/i.test(inputs['skip-verification']),
}
}
109 changes: 109 additions & 0 deletions test/action.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,39 @@ for (const prCommitsStub of prCommitsStubs) {
})
}

for (const prCommitsStub of prCommitsStubs) {
tap.test(
'should NOT skip PR with non dependabot commit when skip-verification is enabled',
async () => {
const PR_NUMBER = Math.random()
const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
user: {
login: BOT_NAME,
},
number: PR_NUMBER,
},
},
inputs: {
'skip-verification': true,
},
})
stubs.prCommitsStub.resolves([prCommitsStub])

await action()

sinon.assert.calledWithExactly(
stubs.logStub.logInfo,
'Dependabot merge completed'
)
sinon.assert.calledOnce(stubs.prCommitsStub)
sinon.assert.calledOnce(stubs.approveStub)
sinon.assert.calledOnce(stubs.mergeStub)
}
)
}

tap.test(
'should skip PR if dependabot commit signatures cannot be verified',
async () => {
Expand Down Expand Up @@ -280,6 +313,82 @@ tap.test(
}
)

tap.test(
'should review and merge even if commit signatures cannot be verified when skip-verification is enabled',
async () => {
const PR_NUMBER = Math.random()
const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
user: {
login: BOT_NAME,
},
number: PR_NUMBER,
},
},
inputs: {
'skip-verification': true,
},
})

stubs.prCommitsStub.resolves([
{
author: {
login: 'dependabot[bot]',
},
},
])

await action()

sinon.assert.calledWithExactly(
stubs.logStub.logInfo,
'Dependabot merge completed'
)
sinon.assert.notCalled(stubs.coreStub.setFailed)
sinon.assert.calledOnce(stubs.approveStub)
sinon.assert.calledOnce(stubs.mergeStub)
}
)

tap.test(
'should review and merge even the user is not dependabot when skip-verification is enabled',
async () => {
const PR_NUMBER = Math.random()
const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
user: {
login: BOT_NAME,
},
number: PR_NUMBER,
},
},
inputs: {
'skip-verification': true,
},
})

stubs.prCommitsStub.resolves([
{
author: {
login: 'myCustomUser',
},
},
])

await action()

sinon.assert.calledWithExactly(
stubs.logStub.logInfo,
'Dependabot merge completed'
)
sinon.assert.notCalled(stubs.coreStub.setFailed)
sinon.assert.calledOnce(stubs.approveStub)
sinon.assert.calledOnce(stubs.mergeStub)
}
)

tap.test('should ignore excluded package', async () => {
const PR_NUMBER = Math.random()
const { action, stubs } = buildStubbedAction({
Expand Down
4 changes: 4 additions & 0 deletions test/util.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ const BOOLEAN_INPUTS = [
input: 'skip-commit-verification',
key: 'SKIP_COMMIT_VERIFICATION',
},
{
input: 'skip-verification',
key: 'SKIP_VERIFICATION',
},
]

tap.test('getInputs', async t => {
Expand Down

0 comments on commit 9830c7f

Please sign in to comment.