Merge pull request #137 from pangaeatech/use_author

Check PR Author instead of Action Actor
2026-03-13 18:17:13 -04:00 · 2022-02-21 15:59:18 +00:00
parent 37d2f784cd 17e334fb15
commit 4aac23922b
6 changed files with 21 additions and 18 deletions
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 jobs:
  dependabot:
    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Check out code
        uses: actions/checkout@v2
--- a/README.md
+++ b/README.md
@@ -63,8 +63,8 @@ permissions:
 jobs:
  dependabot:
    runs-on: ubuntu-latest
-    # Checking the actor will prevent your Action run failing on non-Dependabot PRs
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    # Checking the author will prevent your Action run failing on non-Dependabot PRs
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
@@ -94,7 +94,7 @@ permissions:
 jobs:
  dependabot:
    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
@@ -125,7 +125,7 @@ permissions:
 jobs:
  dependabot:
    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
--- a/dist/index.js
+++ b/dist/index.js
@@ -13368,9 +13368,9 @@ function getMessage(client, context) {
                'triggering this action on the `pull_request` or `pull_request_target` events.');
            return false;
        }
-        // Don't bother hitting the API if the event actor isn't Dependabot
-        if (context.actor !== DEPENDABOT_LOGIN) {
-            core.debug(`Event actor '${context.actor}' is not Dependabot.`);
+        // Don't bother hitting the API if the PR author isn't Dependabot
+        if (pr.user.login !== DEPENDABOT_LOGIN) {
+            core.debug(`PR author '${pr.user.login}' is not Dependabot.`);
            return false;
        }
        core.debug('Verifying the Pull Request contents are from Dependabot');
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -29,7 +29,7 @@ test('it returns false for an event triggered by someone other than Dependabot',
  expect(await getMessage(mockGitHubClient, mockGitHubPullContext('jane-doe'))).toBe(false)

  expect(core.debug).toHaveBeenCalledWith(
-    expect.stringContaining("Event actor 'jane-doe' is not Dependabot.")
+    expect.stringContaining("PR author 'jane-doe' is not Dependabot.")
  )
 })

@@ -142,11 +142,14 @@ function mockGitHubOtherContext (): Context {
  return ctx
 }

-function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
+function mockGitHubPullContext (author = 'dependabot[bot]'): Context {
  const ctx = new Context()
  ctx.payload = {
    pull_request: {
-      number: 101
+      number: 101,
+      user: {
+        login: author
+      }
    },
    repository: {
      name: 'dependabot',
@@ -155,6 +158,5 @@ function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
      }
    }
  }
-  ctx.actor = actor
  return ctx
 }
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -17,9 +17,9 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
    return false
  }

-  // Don't bother hitting the API if the event actor isn't Dependabot
-  if (context.actor !== DEPENDABOT_LOGIN) {
-    core.debug(`Event actor '${context.actor}' is not Dependabot.`)
+  // Don't bother hitting the API if the PR author isn't Dependabot
+  if (pr.user.login !== DEPENDABOT_LOGIN) {
+    core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
    return false
  }

--- a/src/dry-run.ts
+++ b/src/dry-run.ts
@@ -23,7 +23,10 @@ async function check (args: any): Promise<void> {
    // Convert the CLI args into a stubbed Webhook payload
    actionContext.payload = {
      pull_request: {
-        number: args.prNumber
+        number: args.prNumber,
+        user: {
+          login: 'dependabot[bot]'
+        }
      },
      repository: {
        owner: {
@@ -32,8 +35,6 @@ async function check (args: any): Promise<void> {
        name: repoDetails.repo
      }
    }
-    // Bypass the actor check for purpose of a dry run
-    actionContext.actor = 'dependabot[bot]'

    const githubClient = github.getOctokit(githubToken)