feat(github): detect if repo has vulnerability alerts enabled (#26795)

renovatebot · Jan 22, 2024 · 8038ad8 · 8038ad8
1 parent d908ca3
commit 8038ad8
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/lib/modules/platform/github/graphql.ts b/lib/modules/platform/github/graphql.ts
@@ -6,6 +6,7 @@ query($owner: String!, $name: String!) {
     isArchived
     nameWithOwner
     hasIssuesEnabled
+    hasVulnerabilityAlertsEnabled
     autoMergeAllowed
     mergeCommitAllowed
     rebaseMergeAllowed

diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts
@@ -3336,6 +3336,16 @@ describe('modules/platform/github/index', () => {
   });
 
   describe('getVulnerabilityAlerts()', () => {
+    it('avoids fetching if repo has vulnerability alerts disabled', async () => {
+      const scope = httpMock.scope(githubApiHost);
+      initRepoMock(scope, 'some/repo', {
+        hasVulnerabilityAlertsEnabled: false,
+      });
+      await github.initRepo({ repository: 'some/repo' });
+      const res = await github.getVulnerabilityAlerts();
+      expect(res).toHaveLength(0);
+    });
+
     it('returns empty if error', async () => {
       httpMock.scope(githubApiHost).post('/graphql').reply(200, {});
       const res = await github.getVulnerabilityAlerts();

diff --git a/lib/modules/platform/github/index.ts b/lib/modules/platform/github/index.ts
@@ -465,6 +465,18 @@ export async function initRepo({
       infoQuery = infoQuery.replace(/\n\s*hasIssuesEnabled\s*\n/, '\n');
     }
 
+    // GitHub Enterprise Server <3.9.0 doesn't support hasVulnerabilityAlertsEnabled objects
+    if (
+      platformConfig.isGhe &&
+      // semver not null safe, accepts null and undefined
+      semver.satisfies(platformConfig.gheVersion!, '<3.9.0')
+    ) {
+      infoQuery = infoQuery.replace(
+        /\n\s*hasVulnerabilityAlertsEnabled\s*\n/,
+        '\n',
+      );
+    }
+
     const res = await githubApi.requestGraphql<{
       repository: GhRepo;
     }>(infoQuery, {
@@ -526,6 +538,7 @@ export async function initRepo({
     }
     config.autoMergeAllowed = repo.autoMergeAllowed;
     config.hasIssuesEnabled = repo.hasIssuesEnabled;
+    config.hasVulnerabilityAlertsEnabled = repo.hasVulnerabilityAlertsEnabled;
   } catch (err) /* istanbul ignore next */ {
     logger.debug({ err }, 'Caught initRepo error');
     if (
@@ -1848,6 +1861,10 @@ export function massageMarkdown(input: string): string {
 }
 
 export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
+  if (config.hasVulnerabilityAlertsEnabled === false) {
+    logger.debug('No vulnerability alerts enabled for repo');
+    return [];
+  }
   let vulnerabilityAlerts: { node: VulnerabilityAlert }[] | undefined;
 
   // TODO #22198

diff --git a/lib/modules/platform/github/types.ts b/lib/modules/platform/github/types.ts
@@ -107,6 +107,7 @@ export interface LocalRepoConfig {
   ignorePrAuthor: boolean;
   autoMergeAllowed: boolean;
   hasIssuesEnabled: boolean;
+  hasVulnerabilityAlertsEnabled: boolean;
 }
 
 export type BranchProtection = any;
@@ -118,6 +119,7 @@ export interface GhRepo {
   nameWithOwner: string;
   autoMergeAllowed: boolean;
   hasIssuesEnabled: boolean;
+  hasVulnerabilityAlertsEnabled: boolean;
   mergeCommitAllowed: boolean;
   rebaseMergeAllowed: boolean;
   squashMergeAllowed: boolean;