getMessage can skip commit verification checks

src/dependabot/verified_commits.test.ts

@@ -70,6 +70,23 @@ test('it returns false if the commit is has no verification payload', async () =
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 })
 
+test('it returns the message if the commit is has no verification payload but verification is skipped', async () => {
+  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
+    .reply(200, [
+      {
+        author: {
+          login: 'dependabot[bot]'
+        },
+        commit: {
+          message: 'Bump lodash from 1.0.0 to 2.0.0',
+          verification: null
+        }
+      }
+    ])
+
+  expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
+})
+
 test('it returns false if the commit is not verified', async () => {
   nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
     .reply(200, [

src/dependabot/verified_commits.ts

@@ -6,7 +6,7 @@ import https from 'https'
 
 const DEPENDABOT_LOGIN = 'dependabot[bot]'
 
-export async function getMessage (client: InstanceType<typeof GitHub>, context: Context): Promise<string | false> {
+export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false): Promise<string | false> {
   core.debug('Verifying the job is for an authentic Dependabot Pull Request')
 
   const { pull_request: pr } = context.payload
@@ -43,7 +43,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     return false
   }
 
-  if (!commit.verification?.verified) {
+  if (!skipCommitVerification && !commit.verification?.verified) {
     // TODO: Promote to setFailed
     core.warning(
       "Dependabot's commit signature is not verified, refusing to proceed."