This repository has been archived by the owner on Aug 28, 2023. It is now read-only.
forked from dependabot/fetch-metadata
/
verified_commits.ts
63 lines (50 loc) · 1.76 KB
/
verified_commits.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import * as core from '@actions/core'
import { GitHub } from '@actions/github/lib/utils'
import { Context } from '@actions/github/lib/context'
const DEPENDABOT_LOGIN = 'dependabot[bot]'
export async function getMessage (client: InstanceType<typeof GitHub>, context: Context): Promise<string | false> {
core.debug('Verifying the job is for an authentic Dependabot Pull Request')
const { pull_request: pr } = context.payload
if (!pr) {
core.warning(
"Event payload missing `pull_request` key. Make sure you're " +
'triggering this action on the `pull_request` or `pull_request_target` events.'
)
return false
}
// Don't bother hitting the API if the PR author isn't Dependabot
if (pr.user.login !== DEPENDABOT_LOGIN) {
core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
return false
}
core.debug('Verifying the Pull Request contents are from Dependabot')
const { data: commits } = await client.rest.pulls.listCommits({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pr.number
})
if (commits.length > 1) {
warnOtherCommits()
return false
}
const { commit, author } = commits[0]
if (author?.login !== DEPENDABOT_LOGIN) {
warnOtherCommits()
return false
}
if (!commit.verification?.verified) {
// TODO: Promote to setFailed
core.warning(
"Dependabot's commit signature is not verified, refusing to proceed."
)
return false
}
return commit.message
}
function warnOtherCommits (): void {
core.warning(
"It looks like this PR has contains commits that aren't part of a Dependabot update. " +
"Try using '@dependabot rebase' to remove merge commits or '@dependabot recreate' to remove " +
'any non-Dependabot changes.'
)
}