From 29dc6db06eafcbc87b2ecc3b760911cc60b43423 Mon Sep 17 00:00:00 2001
From: Barry Gordon <brrygrdn@github.com>
Date: Thu, 30 Jun 2022 14:27:21 +0100
Subject: [PATCH 1/4] getMessage can skip commit verification checks

---
 src/dependabot/verified_commits.test.ts | 17 +++++++++++++++++
 src/dependabot/verified_commits.ts      |  4 ++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
index 2576b8a8..5c556213 100644
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -70,6 +70,23 @@ test('it returns false if the commit is has no verification payload', async () =
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 })
 
+test('it returns the message if the commit is has no verification payload but verification is skipped', async () => {
+  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
+    .reply(200, [
+      {
+        author: {
+          login: 'dependabot[bot]'
+        },
+        commit: {
+          message: 'Bump lodash from 1.0.0 to 2.0.0',
+          verification: null
+        }
+      }
+    ])
+
+  expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
+})
+
 test('it returns false if the commit is not verified', async () => {
   nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
     .reply(200, [
diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts
index 4e9cb994..93ffb194 100644
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -6,7 +6,7 @@ import https from 'https'
 
 const DEPENDABOT_LOGIN = 'dependabot[bot]'
 
-export async function getMessage (client: InstanceType<typeof GitHub>, context: Context): Promise<string | false> {
+export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false): Promise<string | false> {
   core.debug('Verifying the job is for an authentic Dependabot Pull Request')
 
   const { pull_request: pr } = context.payload
@@ -43,7 +43,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     return false
   }
 
-  if (!commit.verification?.verified) {
+  if (!skipCommitVerification && !commit.verification?.verified) {
     // TODO: Promote to setFailed
     core.warning(
       "Dependabot's commit signature is not verified, refusing to proceed."

From b1673a77b4f79f1285877eb4471c865aa2f9d767 Mon Sep 17 00:00:00 2001
From: Barry Gordon <brrygrdn@github.com>
Date: Thu, 30 Jun 2022 14:36:01 +0100
Subject: [PATCH 2/4] Add skip-commit-verification input

---
 action.yml       | 4 ++++
 src/main.test.ts | 1 +
 src/main.ts      | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index dbf07cb7..143b59e2 100644
--- a/action.yml
+++ b/action.yml
@@ -13,6 +13,10 @@ inputs:
   github-token:
     description: 'The GITHUB_TOKEN secret'
     default: ${{ github.token }}
+  skip-commit-verification:
+    type: boolean
+    description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as 'true' in GHES environments.'
+    default: false
 outputs:
   dependency-names:
     description: 'A comma-separated list of all package names updated.'
diff --git a/src/main.test.ts b/src/main.test.ts
index c863b229..94a67c77 100644
--- a/src/main.test.ts
+++ b/src/main.test.ts
@@ -10,6 +10,7 @@ beforeEach(() => {
   jest.spyOn(core, 'info').mockImplementation(jest.fn())
   jest.spyOn(core, 'setFailed').mockImplementation(jest.fn())
   jest.spyOn(core, 'startGroup').mockImplementation(jest.fn())
+  jest.spyOn(core, 'getBooleanInput').mockReturnValue(false)
 })
 
 test('it early exits with an error if github-token is not set', async () => {
diff --git a/src/main.ts b/src/main.ts
index 3a534546..232e3102 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -22,7 +22,7 @@ export async function run (): Promise<void> {
     const githubClient = github.getOctokit(token)
 
     // Validate the job
-    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context)
+    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'))
     const branchNames = util.getBranchNames(github.context)
     let alertLookup: updateMetadata.alertLookup | undefined
     if (core.getInput('alert-lookup')) {

From d882a801637f12cecde9a4dda035f1a8041e6acc Mon Sep 17 00:00:00 2001
From: Barry Gordon <brrygrdn@github.com>
Date: Thu, 30 Jun 2022 14:38:02 +0100
Subject: [PATCH 3/4] Update documentation

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index ea39cca7..f49e9baa 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,9 @@ Supported inputs are:
 - `compat-lookup` (boolean)
   - If `true`, then populate the `compatibility-score` output.
   - Defaults to `false`
+- `skip-commit-verification` (boolean)
+  - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server**
+  - Defaults to `false`
 
 Subsequent actions will have access to the following outputs:
 

From 6c87543e47e96b3fb3bb924ccb5f263d3e87e5eb Mon Sep 17 00:00:00 2001
From: Barry Gordon <brrygrdn@github.com>
Date: Thu, 30 Jun 2022 14:43:46 +0100
Subject: [PATCH 4/4] Bump dist/

---
 dist/index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index 3d4bf343..3f298e45 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -9065,7 +9065,7 @@ exports.getCompatibility = exports.trimSlashes = exports.getAlert = exports.getM
 const core = __importStar(__nccwpck_require__(2186));
 const https_1 = __importDefault(__nccwpck_require__(5687));
 const DEPENDABOT_LOGIN = 'dependabot[bot]';
-function getMessage(client, context) {
+function getMessage(client, context, skipCommitVerification = false) {
     var _a;
     return __awaiter(this, void 0, void 0, function* () {
         core.debug('Verifying the job is for an authentic Dependabot Pull Request');
@@ -9092,7 +9092,7 @@ function getMessage(client, context) {
             core.warning('It looks like this PR was not created by Dependabot, refusing to proceed.');
             return false;
         }
-        if (!((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) {
+        if (!skipCommitVerification && !((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) {
             // TODO: Promote to setFailed
             core.warning("Dependabot's commit signature is not verified, refusing to proceed.");
             return false;
@@ -9216,7 +9216,7 @@ function run() {
         try {
             const githubClient = github.getOctokit(token);
             // Validate the job
-            const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context);
+            const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'));
             const branchNames = util.getBranchNames(github.context);
             let alertLookup;
             if (core.getInput('alert-lookup')) {