Merge pull request #225 from dependabot/brrygrdn/skip-commit-verification

Add 'skip-commit-verification' as an input for GitHub Enterprise Server users
2026-03-13 18:17:13 -04:00 · 2022-06-30 15:57:39 +01:00
parent a7c13a83a6 6c87543e47
commit cfb7274558
7 changed files with 31 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -41,6 +41,9 @@ Supported inputs are:
 - `compat-lookup` (boolean)
  - If `true`, then populate the `compatibility-score` output.
  - Defaults to `false`
+- `skip-commit-verification` (boolean)
+  - If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server**
+  - Defaults to `false`

 Subsequent actions will have access to the following outputs:

--- a/action.yml
+++ b/action.yml
@@ -13,6 +13,10 @@ inputs:
  github-token:
    description: 'The GITHUB_TOKEN secret'
    default: ${{ github.token }}
+  skip-commit-verification:
+    type: boolean
+    description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as 'true' in GHES environments.'
+    default: false
 outputs:
  dependency-names:
    description: 'A comma-separated list of all package names updated.'
--- a/dist/index.js
+++ b/dist/index.js
@@ -9065,7 +9065,7 @@ exports.getCompatibility = exports.trimSlashes = exports.getAlert = exports.getM
 const core = __importStar(__nccwpck_require__(2186));
 const https_1 = __importDefault(__nccwpck_require__(5687));
 const DEPENDABOT_LOGIN = 'dependabot[bot]';
-function getMessage(client, context) {
+function getMessage(client, context, skipCommitVerification = false) {
    var _a;
    return __awaiter(this, void 0, void 0, function* () {
        core.debug('Verifying the job is for an authentic Dependabot Pull Request');
@@ -9092,7 +9092,7 @@ function getMessage(client, context) {
            core.warning('It looks like this PR was not created by Dependabot, refusing to proceed.');
            return false;
        }
-        if (!((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) {
+        if (!skipCommitVerification && !((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) {
            // TODO: Promote to setFailed
            core.warning("Dependabot's commit signature is not verified, refusing to proceed.");
            return false;
@@ -9216,7 +9216,7 @@ function run() {
        try {
            const githubClient = github.getOctokit(token);
            // Validate the job
-            const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context);
+            const commitMessage = yield verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'));
            const branchNames = util.getBranchNames(github.context);
            let alertLookup;
            if (core.getInput('alert-lookup')) {
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -70,6 +70,23 @@ test('it returns false if the commit is has no verification payload', async () =
  expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 })

+test('it returns the message if the commit is has no verification payload but verification is skipped', async () => {
+  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
+    .reply(200, [
+      {
+        author: {
+          login: 'dependabot[bot]'
+        },
+        commit: {
+          message: 'Bump lodash from 1.0.0 to 2.0.0',
+          verification: null
+        }
+      }
+    ])
+
+  expect(await getMessage(mockGitHubClient, mockGitHubPullContext(), true)).toEqual('Bump lodash from 1.0.0 to 2.0.0')
+})
+
 test('it returns false if the commit is not verified', async () => {
  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
    .reply(200, [
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -6,7 +6,7 @@ import https from 'https'

 const DEPENDABOT_LOGIN = 'dependabot[bot]'

-export async function getMessage (client: InstanceType<typeof GitHub>, context: Context): Promise<string | false> {
+export async function getMessage (client: InstanceType<typeof GitHub>, context: Context, skipCommitVerification = false): Promise<string | false> {
  core.debug('Verifying the job is for an authentic Dependabot Pull Request')

  const { pull_request: pr } = context.payload
@@ -43,7 +43,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
    return false
  }

-  if (!commit.verification?.verified) {
+  if (!skipCommitVerification && !commit.verification?.verified) {
    // TODO: Promote to setFailed
    core.warning(
      "Dependabot's commit signature is not verified, refusing to proceed."
--- a/src/main.test.ts
+++ b/src/main.test.ts
@@ -10,6 +10,7 @@ beforeEach(() => {
  jest.spyOn(core, 'info').mockImplementation(jest.fn())
  jest.spyOn(core, 'setFailed').mockImplementation(jest.fn())
  jest.spyOn(core, 'startGroup').mockImplementation(jest.fn())
+  jest.spyOn(core, 'getBooleanInput').mockReturnValue(false)
 })

 test('it early exits with an error if github-token is not set', async () => {
--- a/src/main.ts
+++ b/src/main.ts
@@ -22,7 +22,7 @@ export async function run (): Promise<void> {
    const githubClient = github.getOctokit(token)

    // Validate the job
-    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context)
+    const commitMessage = await verifiedCommits.getMessage(githubClient, github.context, core.getBooleanInput('skip-commit-verification'))
    const branchNames = util.getBranchNames(github.context)
    let alertLookup: updateMetadata.alertLookup | undefined
    if (core.getInput('alert-lookup')) {