Check PR Author instead of Action Actor

.github/workflows/dependabot-auto-merge.yml

@@ -6,7 +6,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Check out code
         uses: actions/checkout@v2

README.md

@@ -63,8 +63,8 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    # Checking the actor will prevent your Action run failing on non-Dependabot PRs
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    # Checking the author will prevent your Action run failing on non-Dependabot PRs
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
@@ -94,7 +94,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
@@ -125,7 +125,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata

src/dependabot/verified_commits.test.ts

@@ -29,7 +29,7 @@ test('it returns false for an event triggered by someone other than Dependabot',
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext('jane-doe'))).toBe(false)
 
   expect(core.debug).toHaveBeenCalledWith(
-    expect.stringContaining("Event actor 'jane-doe' is not Dependabot.")
+    expect.stringContaining("PR author 'jane-doe' is not Dependabot.")
   )
 })
 
@@ -142,11 +142,14 @@ function mockGitHubOtherContext (): Context {
   return ctx
 }
 
-function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
+function mockGitHubPullContext (author = 'dependabot[bot]'): Context {
   const ctx = new Context()
   ctx.payload = {
     pull_request: {
-      number: 101
+      number: 101,
+      user: {
+        login: author
+      }
     },
     repository: {
       name: 'dependabot',
@@ -155,6 +158,5 @@ function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
       }
     }
   }
-  ctx.actor = actor
   return ctx
 }

src/dependabot/verified_commits.ts

@@ -17,9 +17,9 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     return false
   }
 
-  // Don't bother hitting the API if the event actor isn't Dependabot
-  if (context.actor !== DEPENDABOT_LOGIN) {
-    core.debug(`Event actor '${context.actor}' is not Dependabot.`)
+  // Don't bother hitting the API if the PR author isn't Dependabot
+  if (pr.user.login !== DEPENDABOT_LOGIN) {
+    core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
     return false
   }
 

src/dry-run.ts

@@ -23,7 +23,10 @@ async function check (args: any): Promise<void> {
     // Convert the CLI args into a stubbed Webhook payload
     actionContext.payload = {
       pull_request: {
-        number: args.prNumber
+        number: args.prNumber,
+        user: {
+          login: 'dependabot[bot]'
+        }
       },
       repository: {
         owner: {
@@ -32,8 +35,6 @@ async function check (args: any): Promise<void> {
         name: repoDetails.repo
       }
     }
-    // Bypass the actor check for purpose of a dry run
-    actionContext.actor = 'dependabot[bot]'
 
     const githubClient = github.getOctokit(githubToken)