Allow custom dependabotAuthor and dependabotCommitter
#378
Comments
yeikel
changed the title
dependabotAuthor and dependabotCommitter
|
The first question is, does https://github.com/dependabot/fetch-metadata support the same input? |
|
It seems like it is not supported by |
|
Thank you for pointing that out. I started a discussion in that project first dependabot/fetch-metadata#317 and I'll report back |
We implemented this slightly different in fetch-metadata. We simply skip all the checks https://github.com/dependabot/fetch-metadata/blob/main/action.yml#L20-L23 Would you be open to adding something similar now? |
Skipping all the verification would be a dangerous action. |
When I say "skip verification" I am referring to the dependabot verifications. What I do need is to skip the author verification as my pull requests are coming from a service id |
|
If the fetch-metadata action accepted this change, I think we can do the same here. I'm just not sure that |
How about The author can be enforced using Github actions directly, and we can let the user decide how that looks under their environment. For all we know, it could be one or multiple users If it helps, one more scenario that will be more common until dependabot supports grouping is when one or more dependabot commits are merged into a single larger commit. This can happen manually or even automatically. See https://github.com/hrvey/combine-prs-workflow |
Works for me, do you think this will play well with the existing
I'm not sure what you mean by this, can you clarify?
I'm also not sure I understand what you mean with this and how this is relevant for this issue. |
Honestly, they would not be compatible as
In Github Actions, we can add a check like this: - name: Greet dependabot
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} / #This step will only run if the user matches. The "echo" command won't run at all
shell: echo "Hello dependabot!"As this feature exists, the only reason to have this additional verification in the action code is for safety, but normally I would implement it using the native Github Actions feature instead to avoid the call altogether
Apologies that it was not clear. What I meant is that there are other scenarios where this feature would be useful that I discovered recently. These "bundled" pull requests are created by other users and the commit verification will also fail |
|
Thanks for the clarifications @yeikel. On the first point, how do you suggest to progress? We can certainly consider removing the existing "skip" input, but clearly if we have a non-breaking way to do this it would be even better. |
|
I think that the easiest way to proceed is to add a new parameter The other option is to implement it just like fetch-metadata did so that when set, both the author and the commit verification are skipped As a side note, I just noticed that in your action definition, you're also filtering by author and that we would need to enhance that as well using the same parameter https://github.com/fastify/github-action-merge-dependabot/blob/main/action.yml#L51 Is the check in the code necessary given that? I am not sure in what situations the action is running for other users when we are stopping it from running using that check |
|
I am happy to go with this solution then, yes! And yes we'll have to change some conditions in the action yaml definition as well. @yeikel I would appreciate if you could send a PR for this 🙏 |
Can you clarify what option are we settling for?
(I personally prefer |
|
I'd go with |
Great, thank you for accepting the request! I'll work on it this week and feel free to assign the issue to me :) |
|
Deal, thanks a lot 👌 |
When enabled, both author and commit verification are disabled Closes fastify#378
When enabled, both author and commit verification are disabled Closes fastify#378
I submitted #411 as promised Thank you! |
* feat: add option to skip-verification When enabled, both author and commit verification are disabled Closes #378 * Update src/action.js Co-authored-by: KaKa <climba03003@gmail.com> * Update src/action.js Co-authored-by: KaKa <climba03003@gmail.com> * regenerate dist * fix linting --------- Co-authored-by: KaKa <climba03003@gmail.com>
|
🎉 This issue has been resolved in version 3.7.0 🎉 The release is available on: Your optic bot 📦🚀 |
Prerequisites
🚀 Feature Proposal
Add two new configuration properties
dependabotAuthoranddependabotCommitterthat allows users to configure https://github.com/fastify/github-action-merge-dependabot/blob/main/src/getDependabotDetails.js#L2-L4 and set custom valuesnote : I am open to sending a PR about this
Motivation
I run dependabot-core (the core framework behind dependabot) privatel yand my user details are not what the actions expect
Example Configuration
Example Input
The text was updated successfully, but these errors were encountered: