-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to skip verifying the dependabot
user internally
#332
Comments
I'm going to run this by the team internally to see what folks think... |
I think that the only downside of implementing this is that we will need to release a new breaking version and inform the users about it. Other than that, I assume that most users will copy/paste the examples |
From @brrygrdn via slack:
On the surface that makes sense to me, I hadn't even considered the case of someone tacking on additional commits to an existing Dependabot PR. However, the funky part is that the logic is not checking the author of the last commit, it's checking the PR author: fetch-metadata/src/dependabot/verified_commits.ts Lines 22 to 25 in 173b40e
And on the flip side, only checking the PR author makes sense for the cases where someone has automation for an additional commit on every PR, such as using https://github.com/jonabc/licensed-ci. So that kinda prevents us fully switching to checking the latest commit author rather than PR author. That said, I'm still fine with leaving the existing check for defensive purposes, but does mean we could probably loosen the API over in #331 from specifying a custom user to simple on/off of enforcing the in-code check. @brrygrdn feel free to add mroe comments if I'm misunderstanding or overlooking something. |
For a data point, I've occasionally manually combined the changes from multiple Dependabot PRs in cases where it doesn't make sense for the individual package updates to be applied separately (e.g. |
Add a `skip-verification` (boolean) option: - If `true`, the action will not validate the user or the commit verification status - Defaults to `false` Allows for scenarios where users want to add or amend commits on the Dependabot PR, and those commits will not come from the user. There's a fair bit of discussion on this use case and also why this isn't the default behavior, see: * #336 * #332
dependabot
user internally dependabot
user internally
Fixed by #336 |
@yeikel pointed out that we don't need to do the internal check within the action if we recommend on the Readme that users check the user before executing the action:
I think this is the reason the check exists within the code... the concern is that users may not realize they need to set that, and so may fire off spurious requests... so it's defensive coding to protect the API from ignorant/careless users.
That said, I agree the volume of calls here is probably pretty low, so it may be fine to remove this... 🤷♂️
Removing it would simplify the code / config complexity since the
DEPENDABOT_LOGIN
const and associated logic of letting users customize the user simply disappears...The text was updated successfully, but these errors were encountered: