From 592101e99540be908da10b34af86772e74c67b71 Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Fri, 25 Feb 2022 22:08:27 -0600
Subject: [PATCH 1/3] Updated README to reference correct version

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 82c6a6ce..a8dd8112 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ Extract information about the dependencies being updated by a Dependabot-generat
 
 ## Usage instructions
 
-Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v1.1.1`, e.g.
+Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v1.2.1`, e.g.
 
 ```yaml
 -- .github/workflows/dependabot-prs.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
     - name: Fetch Dependabot metadata
       id: dependabot-metadata
-      uses: dependabot/fetch-metadata@v1.1.1
+      uses: dependabot/fetch-metadata@v1.2.1
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
         alert-lookup: true
@@ -87,7 +87,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v1.2.1
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve a PR
@@ -117,7 +117,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v1.2.1
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -148,7 +148,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@v1.2.1
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Add a label for all production dependencies

From 4a8756595b97b6b1817fab0722c46dd030028cea Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Sat, 26 Feb 2022 13:40:40 -0600
Subject: [PATCH 2/3] Allow fetch-metadata to run on a PR even if it has
 additional commits, as long as the 0th one was added by dependabot and is
 verified.

---
 dist/index.js                           | 12 ++--------
 src/dependabot/verified_commits.test.ts | 29 +++++--------------------
 src/dependabot/verified_commits.ts      | 18 ++++-----------
 3 files changed, 12 insertions(+), 47 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index 78b8840e..bf0735f8 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -9152,13 +9152,10 @@ function getMessage(client, context) {
             repo: context.repo.repo,
             pull_number: pr.number
         });
-        if (commits.length > 1) {
-            warnOtherCommits();
-            return false;
-        }
         const { commit, author } = commits[0];
         if ((author === null || author === void 0 ? void 0 : author.login) !== DEPENDABOT_LOGIN) {
-            warnOtherCommits();
+            // TODO: Promote to setFailed
+            core.warning('It looks like this PR was not created by Dependabot, refusing to proceed.');
             return false;
         }
         if (!((_a = commit.verification) === null || _a === void 0 ? void 0 : _a.verified)) {
@@ -9170,11 +9167,6 @@ function getMessage(client, context) {
     });
 }
 exports.getMessage = getMessage;
-function warnOtherCommits() {
-    core.warning("It looks like this PR has contains commits that aren't part of a Dependabot update. " +
-        "Try using '@dependabot rebase' to remove merge commits or '@dependabot recreate' to remove " +
-        'any non-Dependabot changes.');
-}
 function getAlert(name, version, directory, client, context) {
     var _a, _b, _c, _d, _e;
     return __awaiter(this, void 0, void 0, function* () {
diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
index 918b4c5d..cde91a57 100644
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -33,28 +33,6 @@ test('it returns false for an event triggered by someone other than Dependabot',
   )
 })
 
-test('it returns false if there is more than 1 commit', async () => {
-  nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
-    .reply(200, [
-      {
-        commit: {
-          message: 'Bump lodash from 1.0.0 to 2.0.0'
-        }
-      },
-      {
-        commit: {
-          message: 'Add some more things.'
-        }
-      }
-    ])
-
-  expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
-
-  expect(core.warning).toHaveBeenCalledWith(
-    expect.stringContaining("It looks like this PR has contains commits that aren't part of a Dependabot update.")
-  )
-})
-
 test('it returns false if the commit was authored by someone other than Dependabot', async () => {
   nock('https://api.github.com').get('/repos/dependabot/dependabot/pulls/101/commits')
     .reply(200, [
@@ -71,7 +49,7 @@ test('it returns false if the commit was authored by someone other than Dependab
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 
   expect(core.warning).toHaveBeenCalledWith(
-    expect.stringContaining("It looks like this PR has contains commits that aren't part of a Dependabot update.")
+    expect.stringContaining("It looks like this PR was not created by Dependabot, refusing to proceed.")
   )
 })
 
@@ -124,6 +102,11 @@ test('it returns the commit message for a PR authored exclusively by Dependabot
             verified: true
           }
         }
+      },
+      {
+        commit: {
+          message: 'Add some more things.'
+        }
       }
     ])
 
diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts
index 22e9c8a0..b9685bae 100644
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -32,15 +32,13 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
     pull_number: pr.number
   })
 
-  if (commits.length > 1) {
-    warnOtherCommits()
-    return false
-  }
-
   const { commit, author } = commits[0]
 
   if (author?.login !== DEPENDABOT_LOGIN) {
-    warnOtherCommits()
+    // TODO: Promote to setFailed
+    core.warning(
+      'It looks like this PR was not created by Dependabot, refusing to proceed.'
+    )
     return false
   }
 
@@ -55,14 +53,6 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context:
   return commit.message
 }
 
-function warnOtherCommits (): void {
-  core.warning(
-    "It looks like this PR has contains commits that aren't part of a Dependabot update. " +
-      "Try using '@dependabot rebase' to remove merge commits or '@dependabot recreate' to remove " +
-        'any non-Dependabot changes.'
-  )
-}
-
 export async function getAlert (name: string, version: string, directory: string, client: InstanceType<typeof GitHub>, context: Context): Promise<dependencyAlert> {
   const alerts: any = await client.graphql(`
      {

From 9a3daafb32bcef6148a00ad31180618828768b94 Mon Sep 17 00:00:00 2001
From: Michael Waddell <michael@waddellnet.com>
Date: Sat, 26 Feb 2022 13:46:10 -0600
Subject: [PATCH 3/3] linting

---
 src/dependabot/verified_commits.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
index cde91a57..bc9c14c8 100644
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -49,7 +49,7 @@ test('it returns false if the commit was authored by someone other than Dependab
   expect(await getMessage(mockGitHubClient, mockGitHubPullContext())).toBe(false)
 
   expect(core.warning).toHaveBeenCalledWith(
-    expect.stringContaining("It looks like this PR was not created by Dependabot, refusing to proceed.")
+    expect.stringContaining('It looks like this PR was not created by Dependabot, refusing to proceed.')
   )
 })