Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check PR Author instead of Action Actor #137

Merged
merged 2 commits into from
Feb 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✨ Thanks for updating the documentation as well

steps:
- name: Check out code
uses: actions/checkout@v2
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
# Checking the actor will prevent your Action run failing on non-Dependabot PRs
if: ${{ github.actor == 'dependabot[bot]' }}
# Checking the author will prevent your Action run failing on non-Dependabot PRs
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
Expand Down Expand Up @@ -94,7 +94,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
Expand Down Expand Up @@ -125,7 +125,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
Expand Down
6 changes: 3 additions & 3 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 6 additions & 4 deletions src/dependabot/verified_commits.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ test('it returns false for an event triggered by someone other than Dependabot',
expect(await getMessage(mockGitHubClient, mockGitHubPullContext('jane-doe'))).toBe(false)

expect(core.debug).toHaveBeenCalledWith(
expect.stringContaining("Event actor 'jane-doe' is not Dependabot.")
expect.stringContaining("PR author 'jane-doe' is not Dependabot.")
)
})

Expand Down Expand Up @@ -142,11 +142,14 @@ function mockGitHubOtherContext (): Context {
return ctx
}

function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
function mockGitHubPullContext (author = 'dependabot[bot]'): Context {
const ctx = new Context()
ctx.payload = {
pull_request: {
number: 101
number: 101,
user: {
login: author
}
},
repository: {
name: 'dependabot',
Expand All @@ -155,6 +158,5 @@ function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
}
}
}
ctx.actor = actor
return ctx
}
6 changes: 3 additions & 3 deletions src/dependabot/verified_commits.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
return false
}

// Don't bother hitting the API if the event actor isn't Dependabot
if (context.actor !== DEPENDABOT_LOGIN) {
core.debug(`Event actor '${context.actor}' is not Dependabot.`)
// Don't bother hitting the API if the PR author isn't Dependabot
if (pr.user.login !== DEPENDABOT_LOGIN) {
core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
return false
}

Expand Down
7 changes: 4 additions & 3 deletions src/dry-run.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@ async function check (args: any): Promise<void> {
// Convert the CLI args into a stubbed Webhook payload
actionContext.payload = {
pull_request: {
number: args.prNumber
number: args.prNumber,
user: {
login: 'dependabot[bot]'
}
},
repository: {
owner: {
Expand All @@ -32,8 +35,6 @@ async function check (args: any): Promise<void> {
name: repoDetails.repo
}
}
// Bypass the actor check for purpose of a dry run
actionContext.actor = 'dependabot[bot]'

const githubClient = github.getOctokit(githubToken)

Expand Down