feat: add option to skip internal verifications (#336)

Add a `skip-verification` (boolean) option: - If `true`, the action will not validate the user or the commit verification status - Defaults to `false` Allows for scenarios where users want to add or amend commits on the Dependabot PR, and those commits will not come from the :dependabot: user. There's a fair bit of discussion on this use case and also why this isn't the default behavior, see: * https://github.com/dependabot/fetch-metadata/pull/336 * https://github.com/dependabot/fetch-metadata/issues/332
2026-03-13 18:17:13 -04:00 · 2023-04-17 15:44:22 -04:00
parent 684ca1c3fd
commit 6c2bf2fe33
6 changed files with 50 additions and 18 deletions
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -87,6 +87,25 @@ test('it returns the message if the commit is has no verification payload but ve
  expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
 })

+test('it returns the message when skip-verification is enabled', async () => {
+  jest.spyOn(core, 'getInput').mockReturnValue('true')
+
+  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
+    .reply(200, [
+      {
+        author: {
+          login: 'myUser'
+        },
+        commit: {
+          message: 'Bump lodash from 1.0.0 to 2.0.0',
+          verification: false
+        }
+      }
+    ])
+
+  expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), false, true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
+})
+
 test('it returns false if the commit is not verified', async () => {
  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
    .reply(200, [
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -6,8 +6,12 @@ import https from 'https'

 const DEPENDABOT_LOGIN = 'dependabot[bot]'

-export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false): Promise<string | false> {
-  core.debug('Verifying the job is for an authentic Dependabot Pull Request')
+export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false, skipVerification = false): Promise<string | false> {
+  if (skipVerification) {
+    core.debug('Skipping pull request verification')
+  } else {
+    core.debug('Verifying the job is for an authentic Dependabot Pull Request')
+  }

  const { pull_request: pr } = context.payload

@@ -19,14 +23,12 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
    return false
  }

-  // Don't bother hitting the API if the PR author isn't Dependabot
-  if (pr.user.login !== DEPENDABOT_LOGIN) {
+  // Don't bother hitting the API if the PR author isn't Dependabot unless verification is disabled
+  if (!skipVerification && pr.user.login !== DEPENDABOT_LOGIN) {
    core.debug(`PR author '${pr.user.login}' is not Dependabot.`)
    return false
  }

-  core.debug('Verifying the Pull Request contents are from Dependabot')
-
  const { data: commits } = await client.rest.pulls.listCommits({
    owner: context.repo.owner,
    repo: context.repo.repo,
@@ -35,7 +37,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:

  const { commit, author } = commits[0]

-  if (author?.login !== DEPENDABOT_LOGIN) {
+  if (!skipVerification && author?.login !== DEPENDABOT_LOGIN) {
    // TODO: Promote to setFailed
    core.warning(
      'It looks like this PR was not created by Dependabot, refusing to proceed.'
@@ -43,7 +45,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
    return false
  }

-  if (!skipCommitVerification && !commit.verification?.verified) {
+  if (!skipVerification && !skipCommitVerification && !commit.verification?.verified) {
    // TODO: Promote to setFailed
    core.warning(
      "Dependabot's commit signature is not verified, refusing to proceed."
--- a/src/main.ts
+++ b/src/main.ts
@@ -22,7 +22,7 @@ export async function run (): Promise<void> {
    const githubClient = github.getOctokit(token)

    // Validate the job
-    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'))
+    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'), core.getBooleanInput('skip-verification'))
    const branchNames = util.getBranchNames(github.context)
    let alertLookup: updateMetadata.alertLookup | undefined
    if (core.getInput('alert-lookup')) {