Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support to dependabot's compatibility score #287

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

guilhermelimak
Copy link
Contributor

This PR adds support for using dependabot's compatibility score (retrieved from dependabot's fetch-metadata action) to decide whether to merge a PR or not.

Closes #286

Checklist

@@ -45,5 +45,6 @@ exports.getInputs = inputs => {
APPROVE_ONLY: /true/i.test(inputs['approve-only']),
TARGET: mapUpdateType(inputs['target']),
PR_NUMBER: inputs['pr-number'],
COMPATIBILITY_SCORE: inputs['compatibility-score'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
COMPATIBILITY_SCORE: inputs['compatibility-score'],
COMPATIBILITY_SCORE: Number(inputs['compatibility-score']),

@@ -64,6 +65,20 @@ module.exports = async function run({
)
}

const targetScore = +COMPATIBILITY_SCORE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved the coercion to the input utility

Suggested change
const targetScore = +COMPATIBILITY_SCORE
const targetScore = COMPATIBILITY_SCORE

@@ -42,6 +42,10 @@ An example of a non-semantic version is a commit hash when using git submodules.

_Optional_ A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a seperate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event)

### `compatibility-score`

_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged.
_Optional_ A minimum [Compatibility score](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores) needed for the PR to be merged. The check will be skipped if the dependabot's PR does not include the compatibility score.

},
dependabotMetadata: createDependabotMetadata({
updateType: updateTypes.minor,
compatibilityScore: 91,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be a float?

Suggested change
compatibilityScore: 91,
compatibilityScore: '90.9',

@@ -466,3 +466,96 @@ tap.test('should forbid minor when target is patch', async () => {
sinon.assert.notCalled(stubs.approveStub)
sinon.assert.notCalled(stubs.mergeStub)
})

tap.test(
'should not allow merge with compatibility score lower than target score',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since in documentation stated "security updates may include compatibility scores", I would also add test for case when compat score is not provided

@simoneb
Copy link
Collaborator

simoneb commented Oct 17, 2022

I think we're blocked here for the moment, as we didn't quite figure out how to make this work over time. Meaning, reassessing the PRs if and when the compatibility score changes (as it is expected to) over time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add support for dependabot's compatibility score
5 participants