Allow fetch-metadata to run on a PR even if it has additional commits…

…, as long as the 0th one was added by dependabot and is verified.
dependabot · Feb 26, 2022 · 4a87565 · 4a87565
1 parent 4f2f276
commit 4a87565
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 47 deletions.
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
@@ -33,28 +33,6 @@ test('it returns false for an event triggered by someone other than Dependabot',
   )
 })
 
-test('it returns false if there is more than 1 commit', async () => {
-  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
-    .reply(200, [
-      {
-        commit: {
-          message: 'Bump lodash from 1.0.0 to 2.0.0'
-        }
-      },
-      {
-        commit: {
-          message: 'Add some more things.'
-        }
-      }
-    ])
-
-  expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
-
-  expect(core.warning).toHaveBeenCalledWith(
-    expect.stringContaining("It looks like this PR has contains commits that aren't part of a Dependabot update.")
-  )
-})
-
 test('it returns false if the commit was authored by someone other than Dependabot', async () => {
   nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
     .reply(200, [
@@ -71,7 +49,7 @@ test('it returns false if the commit was authored by someone other than Dependab
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 
   expect(core.warning).toHaveBeenCalledWith(
-    expect.stringContaining("It looks like this PR has contains commits that aren't part of a Dependabot update.")
+    expect.stringContaining("It looks like this PR was not created by Dependabot, refusing to proceed.")
   )
 })
 
@@ -124,6 +102,11 @@ test('it returns the commit message for a PR authored exclusively by Dependabot
             verified: true
           }
         }
+      },
+      {
+        commit: {
+          message: 'Add some more things.'
+        }
       }
     ])
 

diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts
@@ -32,15 +32,13 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     pull_number: pr.number
   })
 
-  if (commits.length > 1) {
-    warnOtherCommits()
-    return false
-  }
-
   const { commit, author } = commits[0]
 
   if (author?.login !== DEPENDABOT_LOGIN) {
-    warnOtherCommits()
+    // TODO: Promote to setFailed
+    core.warning(
+      'It looks like this PR was not created by Dependabot, refusing to proceed.'
+    )
     return false
   }
 
@@ -55,14 +53,6 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
   return commit.message
 }
 
-function warnOtherCommits (): void {
-  core.warning(
-    "It looks like this PR has contains commits that aren't part of a Dependabot update. " +
-      "Try using '@dependabot rebase' to remove merge commits or '@dependabot recreate' to remove " +
-        'any non-Dependabot changes.'
-  )
-}
-
 export async function getAlert (name: string, version: string, directory: string, client: InstanceType<typeof GitHub>, context: Context): Promise<dependencyAlert> {
   const alerts: any = await client.graphql(`
      {