Fix GHES support

[frequ]

Fixes #363

We got little further with the initial GHES support, but it still hits with the verifySignatures:

Warning: PR contains invalid dependabot commit signatures, skipping.

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[simoneb]

Thanks for the follow up. We need to be careful with this further changes as they open up surface for a potential attack, which is why we put in place commit verification. Therefore, before going on with this change I think it's worth taking some time to understand why you need this in the first place.

[frequ]

Thanks for the follow up. We need to be careful with this further changes as they open up surface for a potential attack, which is why we put in place commit verification. Therefore, before going on with this change I think it's worth taking some time to understand why you need this in the first place.

Well, we are using this action in our public github for automerging depdendabot PRs and would like to use the same action in GHES as well.

I do understand the potential security issues. I wonder if we could only allow skipping verifyCommit for GitHub Enterprise Server. E.g. check if GITHUB_SERVER_URL is set.

[simoneb]

What I would like to understand is why commits cannot be verified in a GHES environment

[frequ]

Not sure why dependabot is not a verified committer in GHES, but something similar was done here: dependabot/fetch-metadata#225

[frequ]

I was finally able to test this with GHES and can confirm that it fully works now.

[zetaab]

as customer for github enterprise server: we cannot fix how github is handling this in GHES. If github is allowing such PRs to their own organisation (dependabot dependabot/fetch-metadata#225) I think they do understand that the problem is not easy to solve in GHES side

[simoneb]

as customer for github enterprise server: we cannot fix how github is handling this in GHES. If github is allowing such PRs to their own organisation (dependabot dependabot/fetch-metadata#225) I think they do understand that the problem is not easy to solve in GHES side

Thanks for this clarification, this indeed gives us more confidence that we can do this change. Please allow some time for somebody from the team to review.

[davideroffo]

LGTM, just left a comment not related to your changes but that we can address with this PR.

[davideroffo]

We have noticed that the SKIP_COMMIT_VERIFICATION is parsed as a String instead of a boolean. For this reason, the verifyCommits will always be skipped.

You can try it easily by logging this in your branch:

if (typeof SKIP_COMMIT_VERIFICATION === 'boolean') {
    console.log('skip-commit-verification is a BOOLEAN!')
  } else if (typeof SKIP_COMMIT_VERIFICATION === 'string') {
    console.log('skip-commit-verification is a STRING!')
  }

Running the action you will see that the printed line will be:

skip-commit-verification is a STRING!

Can you fix this behaviour as well?

[frequ]

We have noticed that the SKIP_COMMIT_VERIFICATION is parsed as a String instead of a boolean. For this reason, the verifyCommits will always be skipped.

Can you fix this behaviour as well?

Good catch! Made a fix and extended tests to cover all the boolean inputs.

[davideroffo]

LGTM