feat: add option to set custom user#331
Conversation
| steps: | ||
| - name: Fetch Dependabot metadata | ||
| id: dependabot-metadata | ||
| if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} |
There was a problem hiding this comment.
As discussed in #317
This check would be enough to prevent invalid users.
I extended the existing logic, but we should consider if we really need to have that check within the action when we can stop the execution before it even runs using the GitHub Events
cc @jeffwidman
There was a problem hiding this comment.
This should definitely go in the README regardless of how we end up changing the code internals itself!
| @@ -21,7 +21,7 @@ export async function getMessage (client: InstanceType<typeof GitHub>, context: | |||
|
|
|||
| // Don't bother hitting the API if the PR author isn't Dependabot | |||
There was a problem hiding this comment.
I think this is the reason the check exists within the code... the concern is that users may not realize they need to set that, and so may fire off spurious requests... so it's defensive coding to protect the API from ignorant/careless users.
That said, I agree the volume of calls here is probably pretty low, so it may be fine to remove this... 🤷♂️
There was a problem hiding this comment.
I filed #332 to track this discussion as it's out of scope of this PR.
Head branch was pushed to by a user without write access
|
See the suggestion in #317 (comment) for creating a second PR with an alternative approach... leaving this one open just in case i'm forgetting something. We'll merge one or the other. |
|
@jeffwidman I created #336 |
Closes #317