From 960d12589662ac9de627b2966faa14b783a64611 Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Mon, 7 Feb 2022 11:24:33 -0600
Subject: [PATCH] Check PR Author instead of Action Actor closes issue #112

---
 .github/workflows/dependabot-auto-merge.yml |  2 +-
 README.md                                   |  8 ++++----
 dist/index.js                               |  6 +++---
 src/dependabot/verified_commits.test.ts     | 10 ++++++----
 src/dependabot/verified_commits.ts          |  6 +++---
 src/dry-run.ts                              |  7 ++++---
 6 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 3ed4df5..4201012 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Check out code
         uses: actions/checkout@v2
diff --git a/README.md b/README.md
index f2cee63..fea0e6a 100644
--- a/README.md
+++ b/README.md
@@ -57,8 +57,8 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    # Checking the actor will prevent your Action run failing on non-Dependabot PRs
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    # Checking the author will prevent your Action run failing on non-Dependabot PRs
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
@@ -88,7 +88,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
@@ -119,7 +119,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
diff --git a/dist/index.js b/dist/index.js
index da130ba..5662c8e 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -13368,9 +13368,9 @@ function getMessage(client, context) {
                 'triggering this action on the `pull_request` or `pull_request_target` events.');
             return false;
         }
-        // Don't bother hitting the API if the event actor isn't Dependabot
-        if (context.actor !== DEPENDABOT_LOGIN) {
-            core.debug(`Event actor '${context.actor}' is not Dependabot.`);
+        // Don't bother hitting the API if the PR author isn't Dependabot
+        if (pr.user.login !== DEPENDABOT_LOGIN) {
+            core.debug(`PR author '${pr.user.login}' is not Dependabot.`);
             return false;
         }
         core.debug('Verifying the Pull Request contents are from Dependabot');
diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
index f143706..41e8f95 100644
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -29,7 +29,7 @@ test('it returns false for an event triggered by someone other than Dependabot',
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext('jane-doe'))).toBe(false)
 
   expect(core.debug).toHaveBeenCalledWith(
-    expect.stringContaining("Event actor 'jane-doe' is not Dependabot.")
+    expect.stringContaining("PR author 'jane-doe' is not Dependabot.")
   )
 })
 
@@ -142,11 +142,14 @@ function mockGitHubOtherContext (): Context {
   return ctx
 }
 
-function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
+function mockGitHubPullContext (author = 'dependabot[bot]'): Context {
   const ctx = new Context()
   ctx.payload = {
     pull_request: {
-      number: 101
+      number: 101,
+      user: {
+        login: author
+      }
     },
     repository: {
       name: 'dependabot',
@@ -155,6 +158,5 @@ function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
       }
     }
   }
-  ctx.actor = actor
   return ctx
 }
diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts
index 976a0cd..677a94a 100644
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -17,9 +17,9 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     return false
   }
 
-  // Don't bother hitting the API if the event actor isn't Dependabot
-  if (context.actor !== DEPENDABOT_LOGIN) {
-    core.debug(`Event actor '${context.actor}' is not Dependabot.`)
+  // Don't bother hitting the API if the PR author isn't Dependabot
+  if (pr.user.login !== DEPENDABOT_LOGIN) {
+    core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
     return false
   }
 
diff --git a/src/dry-run.ts b/src/dry-run.ts
index b8397a4..3ecaa35 100755
--- a/src/dry-run.ts
+++ b/src/dry-run.ts
@@ -23,7 +23,10 @@ async function check (args: any): Promise<void> {
     // Convert the CLI args into a stubbed Webhook payload
     actionContext.payload = {
       pull_request: {
-        number: args.prNumber
+        number: args.prNumber,
+        user: {
+          login: 'dependabot[bot]'
+        }
       },
       repository: {
         owner: {
@@ -32,8 +35,6 @@ async function check (args: any): Promise<void> {
         name: repoDetails.repo
       }
     }
-    // Bypass the actor check for purpose of a dry run
-    actionContext.actor = 'dependabot[bot]'
 
     const githubClient = github.getOctokit(githubToken)