dependabot/fetch-metadata
2
0
Fork 0
mirror of https://github.com/dependabot/fetch-metadata.git synced 2026-03-12 18:07:12 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into flag-security-alerts

Browse Source
This commit is contained in:
Michael Waddell
2022-02-21 17:41:40 -06:00
parent e79c4e95c1 6f13a2523f
commit 582a0e6a5f
10 changed files with 904 additions and 888 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/ci.yml vendored
View File

@@ -1,5 +1,6 @@
name: CI
on:
workflow_dispatch:
push:
branches:
- main

6
.github/workflows/dependabot-auto-merge.yml vendored
View File

@@ -6,7 +6,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Check out code
uses: actions/checkout@v2
@@ -20,5 +20,5 @@ jobs:
- name: Auto-merge
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

10
README.md
View File

@@ -32,7 +32,7 @@ Subsequent actions will have access to the following outputs:
- `steps.dependabot-metadata.outputs.dependency-names`
- A comma-separated list of the package names updated by the PR.
- `steps.dependabot-metadata.outputs.dependency-type`
- The type of dependency has determined this PR to be, e.g. `direct:production`. For all possible values, see [the `allow` documentation](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#allow).
- The type of dependency has determined this PR to be. Possible values are: `direct:production`, `direct:development` and `indirect`. See [the `allow` documentation](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#allow) for descriptions of each.
- `steps.dependabot-metadata.outputs.update-type`
- The highest semver change being made by this PR, e.g. `version-update:semver-major`. For all possible values, see [the `ignore` documentation](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#ignore).
- `steps.dependabot-metadata.outputs.updated-dependencies-json`
@@ -73,8 +73,8 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
# Checking the actor will prevent your Action run failing on non-Dependabot PRs
if: ${{ github.actor == 'dependabot[bot]' }}
# Checking the author will prevent your Action run failing on non-Dependabot PRs
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
@@ -104,7 +104,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
@@ -135,7 +135,7 @@ permissions:
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata

13
dist/index.js generated vendored
View File

@@ -13368,9 +13368,9 @@ function getMessage(client, context) {
'triggering this action on the `pull_request` or `pull_request_target` events.');
return false;
}
// Don't bother hitting the API if the event actor isn't Dependabot
if (context.actor !== DEPENDABOT_LOGIN) {
core.debug(`Event actor '${context.actor}' is not Dependabot.`);
// Don't bother hitting the API if the PR author isn't Dependabot
if (pr.user.login !== DEPENDABOT_LOGIN) {
core.debug(`PR author '${pr.user.login}' is not Dependabot.`);
return false;
}
core.debug('Verifying the Pull Request contents are from Dependabot');
@@ -13612,7 +13612,12 @@ function run() {
core.setFailed(`Api Error: (${error.status}) ${error.message}`);
return;
}
core.setFailed(error.message);
if (error instanceof Error) {
core.setFailed(error.message);
}
else {
core.setFailed('There was an unexpected error.');
}
}
});
}

1699
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

28
package.json
View File

@@ -18,29 +18,29 @@
"author": "dependabot",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.4.0",
"@actions/core": "^1.6.0",
"@actions/github": "^5.0.0",
"pluralize": "^8.0.0"
},
"devDependencies": {
"@types/jest": "^26.0.24",
"@types/node": "^16.4.10",
"@types/yargs": "^17.0.2",
"@typescript-eslint/eslint-plugin": "^4.29.0",
"@typescript-eslint/parser": "^4.29.0",
"@vercel/ncc": "^0.29.0",
"dotenv": "^10.0.0",
"@types/jest": "^27.4.0",
"@types/node": "^17.0.19",
"@types/yargs": "^17.0.8",
"@typescript-eslint/eslint-plugin": "^4.33.0",
"@typescript-eslint/parser": "^4.33.0",
"@vercel/ncc": "^0.33.3",
"dotenv": "^16.0.0",
"eslint": "^7.32.0",
"eslint-config-standard": "^16.0.3",
"eslint-plugin-import": "^2.23.4",
"eslint-plugin-import": "^2.25.4",
"eslint-plugin-node": "^11.1.0",
"eslint-plugin-promise": "^5.1.0",
"eslint-plugin-promise": "^6.0.0",
"jest": "^26.6.3",
"nock": "^13.1.1",
"nock": "^13.2.4",
"ts-jest": "^26.5.6",
"ts-node": "^10.1.0",
"typescript": "^4.3.5",
"ts-node": "^10.5.0",
"typescript": "^4.5.5",
"yaml": "^1.10.2",
"yargs": "^17.0.1"
"yargs": "^17.3.1"
}
}

10
src/dependabot/verified_commits.test.ts
View File

@@ -29,7 +29,7 @@ test('it returns false for an event triggered by someone other than Dependabot',
expect(await getMessage(mockGitHubClient, mockGitHubPullContext('jane-doe'))).toBe(false)
expect(core.debug).toHaveBeenCalledWith(
expect.stringContaining("Event actor 'jane-doe' is not Dependabot.")
expect.stringContaining("PR author 'jane-doe' is not Dependabot.")
)
})
@@ -206,11 +206,14 @@ function mockGitHubOtherContext (): Context {
return ctx
}
function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
function mockGitHubPullContext (author = 'dependabot[bot]'): Context {
const ctx = new Context()
ctx.payload = {
pull_request: {
number: 101
number: 101,
user: {
login: author
}
},
repository: {
name: 'dependabot',
@@ -219,6 +222,5 @@ function mockGitHubPullContext (actor = 'dependabot[bot]'): Context {
}
}
}
ctx.actor = actor
return ctx
}

6
src/dependabot/verified_commits.ts
View File

@@ -18,9 +18,9 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
return false
}
// Don't bother hitting the API if the event actor isn't Dependabot
if (context.actor !== DEPENDABOT_LOGIN) {
core.debug(`Event actor '${context.actor}' is not Dependabot.`)
// Don't bother hitting the API if the PR author isn't Dependabot
if (pr.user.login !== DEPENDABOT_LOGIN) {
core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
return false
}

13
src/dry-run.ts
View File

@@ -23,7 +23,10 @@ async function check (args: any): Promise<void> {
// Convert the CLI args into a stubbed Webhook payload
actionContext.payload = {
pull_request: {
number: args.prNumber
number: args.prNumber,
user: {
login: 'dependabot[bot]'
}
},
repository: {
owner: {
@@ -32,8 +35,6 @@ async function check (args: any): Promise<void> {
name: repoDetails.repo
}
}
// Bypass the actor check for purpose of a dry run
actionContext.actor = 'dependabot[bot]'
const githubClient = github.getOctokit(githubToken)
@@ -65,7 +66,11 @@ async function check (args: any): Promise<void> {
process.exit(1)
}
} catch (exception) {
console.log(exception.message)
if (exception instanceof Error) {
console.log(exception.message)
} else {
console.log('There was an unexpected error.')
}
process.exit(1)
}
}

6
src/main.ts
View File

@@ -45,7 +45,11 @@ export async function run (): Promise<void> {
core.setFailed(`Api Error: (${error.status}) ${error.message}`)
return
}
core.setFailed(error.message)
if (error instanceof Error) {
core.setFailed(error.message)
} else {
core.setFailed('There was an unexpected error.')
}
}
}