Add special dependabot error message

2021-03-30 13:25:12 +01:00 · 2021-03-30 13:25:12 +01:00 · d4edded3ea
commit d4edded3ea
parent bf8daada40
3 changed files with 27 additions and 3 deletions
--- a/lib/actions-util.js
+++ b/lib/actions-util.js
@ -483,7 +483,14 @@ async function sendStatusReport(statusReport) {
        if (isHTTPError(e)) {
            switch (e.status) {
                case 403:
-                    core.setFailed(e.message || GENERIC_403_MSG);
+                    if (isDependabotActor()) {
+                        core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                            'To use Code Scanning with Dependabot please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for dependabot branches. ' +
+                            "See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags for more information on how to configure these events.");
+                    }
+                    else {
+                        core.setFailed(e.message || GENERIC_403_MSG);
+                    }
                    return false;
                case 404:
                    core.setFailed(GENERIC_404_MSG);
@ -508,6 +515,10 @@ async function sendStatusReport(statusReport) {
    }
 }
 exports.sendStatusReport = sendStatusReport;
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 function isRunningLocalAction() {
--- a/lib/actions-util.js.map
+++ b/lib/actions-util.js.map
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@ -628,7 +628,15 @@ export async function sendStatusReport<S extends StatusReportBase>(
    if (isHTTPError(e)) {
      switch (e.status) {
        case 403:
-          core.setFailed(e.message || GENERIC_403_MSG);
+          if (isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                'To use Code Scanning with Dependabot please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for dependabot branches. ' +
+                "See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
          return false;
        case 404:
          core.setFailed(GENERIC_404_MSG);
@ -655,6 +663,11 @@ export async function sendStatusReport<S extends StatusReportBase>(
  }
 }

+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {