Merge pull request #14 from dependabot/brrygrdn/actor-must-be-dependabot

Verify the triggering actor is Dependabot

__tests__/inputs.test.ts

@@ -25,20 +25,3 @@ test('loads dynamic', () => {
   expect(params?.jobToken).toEqual('xxx')
   expect(params?.credentialsToken).toEqual('yyy')
 })
-
-test('loads workflow_dispatch', () => {
-  const ctx = new Context()
-  ctx.eventName = 'workflow_dispatch'
-  ctx.payload = {
-    inputs: {
-      jobId: '1',
-      jobToken: 'xxx',
-      credentialsToken: 'yyy'
-    }
-  }
-
-  const params = getJobParameters(ctx)
-  expect(params?.jobId).toEqual(1)
-  expect(params?.jobToken).toEqual('xxx')
-  expect(params?.credentialsToken).toEqual('yyy')
-})

__tests__/main.test.ts

@@ -37,7 +37,8 @@ describe('run', () => {
   describe('when the run follows the happy path', () => {
     beforeAll(() => {
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -58,10 +59,36 @@ describe('run', () => {
     })
   })
 
+  describe('when the action is triggered on by a different actor', () => {
+    beforeAll(() => {
+      process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'classic-rando'
+      context = new Context()
+    })
+
+    test('it fails the workflow', async () => {
+      await run(context)
+
+      expect(core.setFailed).not.toHaveBeenCalled()
+      expect(core.info).toHaveBeenCalledWith(
+        'This workflow can only be triggered by Dependabot.'
+      )
+    })
+
+    test('it does not report this failed run to dependabot-api', async () => {
+      await run(context)
+
+      expect(markJobAsProcessedSpy).not.toHaveBeenCalled()
+      expect(reportJobErrorSpy).not.toHaveBeenCalled()
+    })
+  })
+
   describe('when the action is triggered on an unsupported event', () => {
     beforeAll(() => {
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
       process.env.GITHUB_EVENT_NAME = 'issue_created'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -91,7 +118,8 @@ describe('run', () => {
       )
 
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -122,7 +150,8 @@ describe('run', () => {
         )
 
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -153,7 +182,8 @@ describe('run', () => {
         )
 
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -189,7 +219,8 @@ describe('run', () => {
         )
 
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 
@@ -225,7 +256,8 @@ describe('run', () => {
         )
 
       process.env.GITHUB_EVENT_PATH = eventFixturePath('default')
-      process.env.GITHUB_EVENT_NAME = 'workflow_dispatch'
+      process.env.GITHUB_EVENT_NAME = 'dynamic'
+      process.env.GITHUB_ACTOR = 'dependabot[bot]'
       context = new Context()
     })
 

src/cli.ts

@@ -27,7 +27,8 @@ cli
 
 const options = cli.opts()
 const ctx = new Context()
-ctx.eventName = 'workflow_dispatch'
+ctx.eventName = 'dynamic'
+ctx.actor = 'dependabot[bot]'
 ctx.payload = {
   inputs: options
 }

src/inputs.ts

@@ -3,16 +3,17 @@ import {Context} from '@actions/github/lib/context'
 import {WorkflowDispatchEvent} from '@octokit/webhooks-types'
 import {JobParameters} from './api-client'
 
+const DYNAMIC = 'dynamic'
+
 export function getJobParameters(ctx: Context): JobParameters | null {
-  switch (ctx.eventName) {
-    case 'dynamic':
-    case 'workflow_dispatch':
-      return fromWorkflowInputs(ctx)
+  if (ctx.eventName === DYNAMIC) {
+    return fromWorkflowInputs(ctx)
+  } else {
+    core.info(
+      `Dependabot Updater Action does not support '${ctx.eventName}' events.`
+    )
+    return null
   }
-  core.info(
-    `Dependabot Updater Action does not support '${ctx.eventName}' events.`
-  )
-  return null
 }
 
 function fromWorkflowInputs(ctx: Context): JobParameters {

src/main.ts

@@ -7,6 +7,8 @@ import {Updater} from './updater'
 import {ApiClient} from './api-client'
 import axios from 'axios'
 
+const DEPENDABOT_ACTOR = 'dependabot[bot]'
+
 export const UPDATER_IMAGE_NAME =
   'docker.pkg.github.com/dependabot/dependabot-updater:latest'
 export const PROXY_IMAGE_NAME =
@@ -21,12 +23,19 @@ export enum DependabotErrorType {
 export async function run(context: Context): Promise<void> {
   try {
     core.info('🤖 ~ starting update ~')
+
+    if (context.actor !== DEPENDABOT_ACTOR) {
+      core.info('This workflow can only be triggered by Dependabot.')
+      core.info('🤖 ~ finished: nothing to do ~')
+      return // TODO: This should be setNeutral in future
+    }
+
     // Decode JobParameters
     const params = getJobParameters(context)
     if (params === null) {
       core.info('No job parameters')
       core.info('🤖 ~ finished: nothing to do ~')
-      return
+      return // TODO: This should be setNeutral in future
     }
 
     core.setSecret(params.jobToken)