diff --git a/README.md b/README.md index 99f42a4d..f3a122d8 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ _Optional_ A pull request number, only required if triggered from a workflow_dis ### `skip-commit-verification` -_Optional_ If true, then the [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server. +_Optional_ If true, then the action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server. ## Usage diff --git a/dist/index.js b/dist/index.js index 40deefb9..9d46cf1b 100644 --- a/dist/index.js +++ b/dist/index.js @@ -2782,6 +2782,7 @@ module.exports = async function run({ USE_GITHUB_AUTO_MERGE, TARGET, PR_NUMBER, + SKIP_COMMIT_VERIFICATION, } = getInputs(inputs) try { @@ -2808,12 +2809,14 @@ module.exports = async function run({ return logWarning('PR contains non dependabot commits, skipping.') } - try { - await verifyCommits(commits) - } catch { - return logWarning( - 'PR contains invalid dependabot commit signatures, skipping.' - ) + if (!SKIP_COMMIT_VERIFICATION) { + try { + verifyCommits(commits) + } catch { + return logWarning( + 'PR contains invalid dependabot commit signatures, skipping.' + ) + } } if ( @@ -3108,6 +3111,7 @@ exports.getInputs = inputs => { USE_GITHUB_AUTO_MERGE: /true/i.test(inputs['use-github-auto-merge']), TARGET: mapUpdateType(inputs['target']), PR_NUMBER: inputs['pr-number'], + SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']), } } diff --git a/src/action.js b/src/action.js index 521d9579..b198f1a0 100644 --- a/src/action.js +++ b/src/action.js @@ -31,6 +31,7 @@ module.exports = async function run({ USE_GITHUB_AUTO_MERGE, TARGET, PR_NUMBER, + SKIP_COMMIT_VERIFICATION, } = getInputs(inputs) try { @@ -57,12 +58,14 @@ module.exports = async function run({ return logWarning('PR contains non dependabot commits, skipping.') } - try { - await verifyCommits(commits) - } catch { - return logWarning( - 'PR contains invalid dependabot commit signatures, skipping.' - ) + if (!SKIP_COMMIT_VERIFICATION) { + try { + verifyCommits(commits) + } catch { + return logWarning( + 'PR contains invalid dependabot commit signatures, skipping.' + ) + } } if ( diff --git a/src/util.js b/src/util.js index bfad8df9..e4a3f62b 100644 --- a/src/util.js +++ b/src/util.js @@ -46,5 +46,6 @@ exports.getInputs = inputs => { USE_GITHUB_AUTO_MERGE: /true/i.test(inputs['use-github-auto-merge']), TARGET: mapUpdateType(inputs['target']), PR_NUMBER: inputs['pr-number'], + SKIP_COMMIT_VERIFICATION: /true/i.test(inputs['skip-commit-verification']), } } diff --git a/test/action.test.js b/test/action.test.js index 2d515402..e46b42b3 100644 --- a/test/action.test.js +++ b/test/action.test.js @@ -79,9 +79,7 @@ function buildStubbedAction({ payload, inputs, dependabotMetadata }) { getPullRequestCommits: prCommitsStub.resolves([]), }) - const verifyCommitsStub = sinon - .stub(verifyCommits, 'verifyCommits') - .returns(Promise.resolve()) + const verifyCommitsStub = sinon.stub(verifyCommits, 'verifyCommits') const action = proxyquire('../src/action', { '@actions/core': coreStub, @@ -231,7 +229,7 @@ tap.test( }, ]) - stubs.verifyCommitsStub.rejects() + stubs.verifyCommitsStub.throws() await action() @@ -244,6 +242,44 @@ tap.test( } ) +tap.test( + 'should review and merge even if commit signatures cannot be verified with skip-commit-verification', + async () => { + const PR_NUMBER = Math.random() + const { action, stubs } = buildStubbedAction({ + payload: { + pull_request: { + user: { + login: BOT_NAME, + }, + number: PR_NUMBER, + }, + }, + inputs: { + 'skip-commit-verification': true, + }, + }) + + stubs.prCommitsStub.resolves([ + { + author: { + login: 'dependabot[bot]', + }, + }, + ]) + + await action() + + sinon.assert.calledWithExactly( + stubs.logStub.logInfo, + 'Dependabot merge completed' + ) + sinon.assert.notCalled(stubs.coreStub.setFailed) + sinon.assert.calledOnce(stubs.approveStub) + sinon.assert.calledOnce(stubs.mergeStub) + } +) + tap.test('should ignore excluded package', async () => { const PR_NUMBER = Math.random() const { action, stubs } = buildStubbedAction({ diff --git a/test/util.test.js b/test/util.test.js index 435e927d..785a1ed9 100644 --- a/test/util.test.js +++ b/test/util.test.js @@ -32,6 +32,15 @@ tap.test('parseCommaOrSemicolonSeparatedValue', async t => { }) }) +const BOOLEAN_INPUTS = [ + { input: 'approve-only', key: 'APPROVE_ONLY' }, + { input: 'use-github-auto-merge', key: 'USE_GITHUB_AUTO_MERGE' }, + { + input: 'skip-commit-verification', + key: 'SKIP_COMMIT_VERIFICATION', + }, +] + tap.test('getInputs', async t => { t.test('should fail if no inputs object is provided', async t => { t.throws(() => getInputs()) @@ -60,14 +69,16 @@ tap.test('getInputs', async t => { 'test-merge-comment' ) }) - t.test('APPROVE_ONLY', async t => { - t.equal(getInputs({}).APPROVE_ONLY, false) - t.equal(getInputs({ 'approve-only': 'false' }).APPROVE_ONLY, false) - t.equal(getInputs({ 'approve-only': 'False' }).APPROVE_ONLY, false) - t.equal(getInputs({ 'approve-only': 'FALSE' }).APPROVE_ONLY, false) - t.equal(getInputs({ 'approve-only': 'true' }).APPROVE_ONLY, true) - t.equal(getInputs({ 'approve-only': 'True' }).APPROVE_ONLY, true) - t.equal(getInputs({ 'approve-only': 'TRUE' }).APPROVE_ONLY, true) + t.test('BOOLEAN INPUTS', async t => { + BOOLEAN_INPUTS.forEach(({ input, key }) => { + t.equal(getInputs({})[key], false) + t.equal(getInputs({ [input]: 'false' })[key], false) + t.equal(getInputs({ [input]: 'False' })[key], false) + t.equal(getInputs({ [input]: 'FALSE' })[key], false) + t.equal(getInputs({ [input]: 'true' })[key], true) + t.equal(getInputs({ [input]: 'True' })[key], true) + t.equal(getInputs({ [input]: 'TRUE' })[key], true) + }) }) t.test('TARGET', async t => { t.equal(