Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support to dependabot's compatibility score #287

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ An example of a non-semantic version is a commit hash when using git submodules.

_Optional_ A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a seperate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event)

### `compatibility-score`

_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged.
_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged. The check will be skipped if the dependabot's PR does not include the compatibility score.


## Usage

Configure this action in your workflows providing the inputs described above.
Expand Down
6 changes: 6 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ inputs:
pr-number:
description: 'A pull request number, only required if triggered from a workflow_dispatch event'
required: false
compatibility-score:
description: 'The minimum compatibility score required for the PR to be merged (0-100)'
required: false

runs:
using: 'composite'
Expand All @@ -36,6 +39,8 @@ runs:
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
if: ${{ github.actor == 'dependabot[bot]' }}
with:
compat-lookup: true
- name: Merge/approve PR
uses: actions/github-script@v6
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
Expand All @@ -51,6 +56,7 @@ runs:
updateType: '${{ steps.dependabot-metadata.outputs.update-type }}',
dependencyType:'${{ steps.dependabot-metadata.outputs.dependency-type }}',
dependencyNames: '${{ steps.dependabot-metadata.outputs.dependency-names }}',
compatibilityScore: '${{ steps.dependabot-metadata.outputs.compatibility-score }}',
}
})

Expand Down
73 changes: 37 additions & 36 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ const file_command_1 = __nccwpck_require__(717);
const utils_1 = __nccwpck_require__(278);
const os = __importStar(__nccwpck_require__(37));
const path = __importStar(__nccwpck_require__(17));
const uuid_1 = __nccwpck_require__(974);
const oidc_utils_1 = __nccwpck_require__(41);
/**
* The code to exit an action
Expand Down Expand Up @@ -169,9 +170,20 @@ function exportVariable(name, val) {
process.env[name] = convertedVal;
const filePath = process.env['GITHUB_ENV'] || '';
if (filePath) {
return file_command_1.issueFileCommand('ENV', file_command_1.prepareKeyValueMessage(name, val));
const delimiter = `ghadelimiter_${uuid_1.v4()}`;
// These should realistically never happen, but just in case someone finds a way to exploit uuid generation let's not allow keys or values that contain the delimiter.
if (name.includes(delimiter)) {
throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
}
if (convertedVal.includes(delimiter)) {
throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`);
}
const commandValue = `${name}<<${delimiter}${os.EOL}${convertedVal}${os.EOL}${delimiter}`;
file_command_1.issueCommand('ENV', commandValue);
}
else {
command_1.issueCommand('set-env', { name }, convertedVal);
}
command_1.issueCommand('set-env', { name }, convertedVal);
}
exports.exportVariable = exportVariable;
/**
Expand All @@ -189,7 +201,7 @@ exports.setSecret = setSecret;
function addPath(inputPath) {
const filePath = process.env['GITHUB_PATH'] || '';
if (filePath) {
file_command_1.issueFileCommand('PATH', inputPath);
file_command_1.issueCommand('PATH', inputPath);
}
else {
command_1.issueCommand('add-path', {}, inputPath);
Expand Down Expand Up @@ -229,10 +241,7 @@ function getMultilineInput(name, options) {
const inputs = getInput(name, options)
.split('\n')
.filter(x => x !== '');
if (options && options.trimWhitespace === false) {
return inputs;
}
return inputs.map(input => input.trim());
return inputs;
}
exports.getMultilineInput = getMultilineInput;
/**
Expand Down Expand Up @@ -265,12 +274,8 @@ exports.getBooleanInput = getBooleanInput;
*/
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function setOutput(name, value) {
const filePath = process.env['GITHUB_OUTPUT'] || '';
if (filePath) {
return file_command_1.issueFileCommand('OUTPUT', file_command_1.prepareKeyValueMessage(name, value));
}
process.stdout.write(os.EOL);
command_1.issueCommand('set-output', { name }, utils_1.toCommandValue(value));
command_1.issueCommand('set-output', { name }, value);
}
exports.setOutput = setOutput;
/**
Expand Down Expand Up @@ -399,11 +404,7 @@ exports.group = group;
*/
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function saveState(name, value) {
const filePath = process.env['GITHUB_STATE'] || '';
if (filePath) {
return file_command_1.issueFileCommand('STATE', file_command_1.prepareKeyValueMessage(name, value));
}
command_1.issueCommand('save-state', { name }, utils_1.toCommandValue(value));
command_1.issueCommand('save-state', { name }, value);
}
exports.saveState = saveState;
/**
Expand Down Expand Up @@ -469,14 +470,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.prepareKeyValueMessage = exports.issueFileCommand = void 0;
exports.issueCommand = void 0;
// We use any as a valid input type
/* eslint-disable @typescript-eslint/no-explicit-any */
const fs = __importStar(__nccwpck_require__(147));
const os = __importStar(__nccwpck_require__(37));
const uuid_1 = __nccwpck_require__(974);
const utils_1 = __nccwpck_require__(278);
function issueFileCommand(command, message) {
function issueCommand(command, message) {
const filePath = process.env[`GITHUB_${command}`];
if (!filePath) {
throw new Error(`Unable to find environment variable for file command ${command}`);
Expand All @@ -488,22 +488,7 @@ function issueFileCommand(command, message) {
encoding: 'utf8'
});
}
exports.issueFileCommand = issueFileCommand;
function prepareKeyValueMessage(key, value) {
const delimiter = `ghadelimiter_${uuid_1.v4()}`;
const convertedValue = utils_1.toCommandValue(value);
// These should realistically never happen, but just in case someone finds a
// way to exploit uuid generation let's not allow keys or values that contain
// the delimiter.
if (key.includes(delimiter)) {
throw new Error(`Unexpected input: name should not contain the delimiter "${delimiter}"`);
}
if (convertedValue.includes(delimiter)) {
throw new Error(`Unexpected input: value should not contain the delimiter "${delimiter}"`);
}
return `${key}<<${delimiter}${os.EOL}${convertedValue}${os.EOL}${delimiter}`;
}
exports.prepareKeyValueMessage = prepareKeyValueMessage;
exports.issueCommand = issueCommand;
//# sourceMappingURL=file-command.js.map

/***/ }),
Expand Down Expand Up @@ -2760,6 +2745,7 @@ module.exports = async function run({
APPROVE_ONLY,
TARGET,
PR_NUMBER,
COMPATIBILITY_SCORE,
} = getInputs(inputs)

try {
Expand Down Expand Up @@ -2794,6 +2780,20 @@ module.exports = async function run({
)
}

const targetScore = +COMPATIBILITY_SCORE
const compatScore = +dependabotMetadata.compatibilityScore

if (
!isNaN(targetScore) &&
!isNaN(compatScore) &&
compatScore < targetScore
) {
core.setFailed(
`Compatibility score is lower than allowed. Expected at least ${targetScore} but received ${compatScore}`
)
return
}

if (
TARGET !== updateTypes.any &&
updateTypesPriority.indexOf(updateType) >
Expand Down Expand Up @@ -3056,6 +3056,7 @@ exports.getInputs = inputs => {
APPROVE_ONLY: /true/i.test(inputs['approve-only']),
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
COMPATIBILITY_SCORE: inputs['compatibility-score'],
}
}

Expand Down
15 changes: 15 additions & 0 deletions src/action.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ module.exports = async function run({
APPROVE_ONLY,
TARGET,
PR_NUMBER,
COMPATIBILITY_SCORE,
} = getInputs(inputs)

try {
Expand Down Expand Up @@ -64,6 +65,20 @@ module.exports = async function run({
)
}

const targetScore = +COMPATIBILITY_SCORE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved the coercion to the input utility

Suggested change
const targetScore = +COMPATIBILITY_SCORE
const targetScore = COMPATIBILITY_SCORE

const compatScore = +dependabotMetadata.compatibilityScore

if (
!isNaN(targetScore) &&
!isNaN(compatScore) &&
compatScore < targetScore
) {
core.setFailed(
`Compatibility score is lower than allowed. Expected at least ${targetScore} but received ${compatScore}`
)
return
}

if (
TARGET !== updateTypes.any &&
updateTypesPriority.indexOf(updateType) >
Expand Down
1 change: 1 addition & 0 deletions src/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,6 @@ exports.getInputs = inputs => {
APPROVE_ONLY: /true/i.test(inputs['approve-only']),
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
COMPATIBILITY_SCORE: inputs['compatibility-score'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
COMPATIBILITY_SCORE: inputs['compatibility-score'],
COMPATIBILITY_SCORE: Number(inputs['compatibility-score']),

}
}
93 changes: 93 additions & 0 deletions test/action.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -466,3 +466,96 @@ tap.test('should forbid minor when target is patch', async () => {
sinon.assert.notCalled(stubs.approveStub)
sinon.assert.notCalled(stubs.mergeStub)
})

tap.test(
'should not allow merge with compatibility score lower than target score',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since in documentation stated "security updates may include compatibility scores", I would also add test for case when compat score is not provided

async () => {
const PR_NUMBER = Math.random()

const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
number: PR_NUMBER,
user: { login: BOT_NAME },
},
},
inputs: {
PR_NUMBER,
'compatibility-score': 90,
},
dependabotMetadata: createDependabotMetadata({
updateType: updateTypes.minor,
compatibilityScore: 80,
}),
})

await action()

sinon.assert.calledWithExactly(
stubs.coreStub.setFailed,
`Compatibility score is lower than allowed. Expected at least 90 but received 80`
)
sinon.assert.notCalled(stubs.approveStub)
sinon.assert.notCalled(stubs.mergeStub)
}
)

tap.test(
'should allow merge with compatibility score higher than target score',
async () => {
const PR_NUMBER = Math.random()

const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
number: PR_NUMBER,
user: { login: BOT_NAME },
},
},
inputs: {
PR_NUMBER,
'compatibility-score': 90,
},
dependabotMetadata: createDependabotMetadata({
updateType: updateTypes.minor,
compatibilityScore: 91,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be a float?

Suggested change
compatibilityScore: 91,
compatibilityScore: '90.9',

}),
})

await action()

sinon.assert.notCalled(stubs.coreStub.setFailed)
sinon.assert.called(stubs.approveStub)
sinon.assert.called(stubs.mergeStub)
}
)

tap.test(
'should allow merge when compatScore is equal to targetScore',
async () => {
const PR_NUMBER = Math.random()

const { action, stubs } = buildStubbedAction({
payload: {
pull_request: {
number: PR_NUMBER,
user: { login: BOT_NAME },
},
},
inputs: {
PR_NUMBER,
'compatibility-score': 90,
},
dependabotMetadata: createDependabotMetadata({
updateType: updateTypes.minor,
compatibilityScore: 90,
}),
})

await action()

sinon.assert.notCalled(stubs.coreStub.setFailed)
sinon.assert.called(stubs.approveStub)
sinon.assert.called(stubs.mergeStub)
}
)
10 changes: 10 additions & 0 deletions test/util.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,16 @@ tap.test('getInputs', async t => {
t.test('PR_NUMBER', async t => {
t.equal(getInputs({ 'pr-number': '10' }).PR_NUMBER, '10')
})
t.test('COMPATIBILITY_SCORE', async t => {
t.equal(
getInputs({ 'compatibility-score': '10' }).COMPATIBILITY_SCORE,
'10'
)
t.equal(
getInputs({ 'compatibility-score': '10' }).COMPATIBILITY_SCORE,
'10'
)
})
}
)
})