From 29dc6db06eafcbc87b2ecc3b760911cc60b43423 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Thu, 30 Jun 2022 14:27:21 +0100 Subject: [PATCH] getMessage can skip commit verification checks --- src/dependabot/verified_commits.test.ts | 17 +++++++++++++++++ src/dependabot/verified_commits.ts | 4 ++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts index 2576b8a8..5c556213 100644 --- a/src/dependabot/verified_commits.test.ts +++ b/src/dependabot/verified_commits.test.ts @@ -70,6 +70,23 @@ test('it returns false if the commit is has no verification payload', async () = expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false) }) +test('it returns the message if the commit is has no verification payload but verification is skipped', async () => { + nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits') + .reply(200, [ + { + author: { + login: 'dependabot[bot]' + }, + commit: { + message: 'Bump lodash from 1.0.0 to 2.0.0', + verification: null + } + } + ]) + + expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0') +}) + test('it returns false if the commit is not verified', async () => { nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits') .reply(200, [ diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts index 4e9cb994..93ffb194 100644 --- a/src/dependabot/verified_commits.ts +++ b/src/dependabot/verified_commits.ts @@ -6,7 +6,7 @@ import https from 'https' const DEPENDABOT_LOGIN = 'dependabot[bot]' -export async function getMessage (client: InstanceType, context: Context): Promise { +export async function getMessage (client: InstanceType, context: Context, skipCommitVerification = false): Promise { core.debug('Verifying the job is for an authentic Dependabot Pull Request') const { pull_request: pr } = context.payload @@ -43,7 +43,7 @@ export async function getMessage (client: InstanceType, context: return false } - if (!commit.verification?.verified) { + if (!skipCommitVerification && !commit.verification?.verified) { // TODO: Promote to setFailed core.warning( "Dependabot's commit signature is not verified, refusing to proceed."