add the non_default_target_branch_used output and leave a warning if non default target branches are used

GrantBirki · GrantBirki · commit da2ff7fc1dfa · 2025-01-22T13:41:06.000-08:00
diff --git a/README.md b/README.md
@@ -343,6 +343,7 @@ As seen above, we have two steps. One for a noop deploy, and one for a regular d
 | `needs_to_be_deployed` | A comma separated list of environments that need successful and active deployments before the current environment (that was requested) can be deployed. This output is tied to the `enforced_deployment_order` input option - See the [enforced deployment order docs](./docs/enforced-deployment-order.md) for more details |
 | `commit_verified` | The string `"true"` if the commit is verified, otherwise `"false"` |
 | `total_seconds` | The total number of seconds that the deployment took to complete (Integer) |
+| `non_default_target_branch_used` | The string `"true"` if the pull request is targeting a branch other than the default branch (aka stable branch) for the merge, otherwise unset |
 
 ## Custom Deployment Messages ✏️
 
diff --git a/__tests__/functions/prechecks.test.js b/__tests__/functions/prechecks.test.js
@@ -60,6 +60,7 @@ beforeEach(() => {
       permissions: ['admin', 'write'],
       commit_verification: false,
       ignored_checks: [],
+      use_security_warnings: true,
       allow_non_default_target_branch_deployments: false
     }
   }
@@ -1034,6 +1035,11 @@ test('runs prechecks and finds that the IssueOps command is valid for a branch d
     sha: 'abcde12345',
     isFork: true
   })
+
+  expect(setOutputMock).not.toHaveBeenCalledWith(
+    'non_default_target_branch_used',
+    'true'
+  )
 })
 
 test('runs prechecks and finds that the PR from a fork is targeting a non-default branch and rejects the deployment', async () => {
@@ -1082,6 +1088,11 @@ test('runs prechecks and finds that the PR from a fork is targeting a non-defaul
     message: `### ⚠️ Cannot proceed with deployment\n\nThis pull request is attempting to merge into the \`some-other-branch\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`). This deployment has been rejected since it could be dangerous to proceed.`,
     status: false
   })
+
+  expect(setOutputMock).toHaveBeenCalledWith(
+    'non_default_target_branch_used',
+    'true'
+  )
 })
 
 test('runs prechecks and finds that the PR from a fork is targeting a non-default branch and allows it based on the action config', async () => {
@@ -1137,6 +1148,11 @@ test('runs prechecks and finds that the PR from a fork is targeting a non-defaul
     sha: 'abcde12345',
     isFork: true
   })
+
+  expect(setOutputMock).toHaveBeenCalledWith(
+    'non_default_target_branch_used',
+    'true'
+  )
 })
 
 test('runs prechecks and finds that the PR is targeting a non-default branch and rejects the deployment', async () => {
@@ -1185,9 +1201,14 @@ test('runs prechecks and finds that the PR is targeting a non-default branch and
     message: `### ⚠️ Cannot proceed with deployment\n\nThis pull request is attempting to merge into the \`not-main\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`). This deployment has been rejected since it could be dangerous to proceed.`,
     status: false
   })
+
+  expect(setOutputMock).toHaveBeenCalledWith(
+    'non_default_target_branch_used',
+    'true'
+  )
 })
 
-test('runs prechecks and finds that the PR is targeting a non-default branch and allows the deployment based on the action config', async () => {
+test('runs prechecks and finds that the PR is targeting a non-default branch and allows the deployment based on the action config and logs a warning', async () => {
   octokit.graphql = jest.fn().mockReturnValue({
     repository: {
       pullRequest: {
@@ -1239,6 +1260,15 @@ test('runs prechecks and finds that the PR is targeting a non-default branch and
     sha: 'abcde12345',
     isFork: false
   })
+
+  expect(setOutputMock).toHaveBeenCalledWith(
+    'non_default_target_branch_used',
+    'true'
+  )
+
+  expect(warningMock).toHaveBeenCalledWith(
+    `🚨 this pull request is attempting to merge into the \`not-main\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`) - this action is potentially dangerous`
+  )
 })
 
 test('runs prechecks and finds that the IssueOps command is valid for a branch deployment and is from a forked repository and the PR is approved but CI is failing and it is a noop', async () => {
diff --git a/__tests__/schemas/action.schema.yml b/__tests__/schemas/action.schema.yml
@@ -651,3 +651,7 @@ outputs:
     description:
       type: string
       required: true
+  non_default_target_branch_used:
+    description:
+      type: string
+      required: true
diff --git a/action.yml b/action.yml
@@ -268,6 +268,8 @@ outputs:
     description: 'The string "true" if the commit has a verified signature, otherwise "false"'
   total_seconds:
     description: 'The total number of seconds that the deployment took to complete (Integer)'
+  non_default_target_branch_used:
+    description: 'The string "true" if the pull request is targeting a branch other than the default branch (aka stable branch) for the merge, otherwise unset'
 runs:
   using: "node20"
   main: "dist/index.js"
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/functions/prechecks.js b/src/functions/prechecks.js
@@ -89,14 +89,37 @@ export async function prechecks(context, octokit, data) {
     )
   }
 
+  const nonDefaultTargetBranchUsed = data.inputs.stable_branch !== baseRef
+  const isNotStableBranchDeploy = !data.environmentObj.stable_branch_used
+  const nonDefaultDeploysAllowed =
+    data.inputs.allow_non_default_target_branch_deployments
+  const securityWarningsEnabled = data.inputs.use_security_warnings
+
+  if (nonDefaultTargetBranchUsed) {
+    core.setOutput('non_default_target_branch_used', 'true')
+  }
+
   // If the PR is targeting a branch other than the default branch (and it is not a stable branch deploy) reject the deployment, unless the Action is explicitly configured to allow it
   if (
-    data.environmentObj.stable_branch_used === false &&
-    data.inputs.stable_branch !== baseRef &&
-    data.inputs.allow_non_default_target_branch_deployments === false
+    isNotStableBranchDeploy &&
+    nonDefaultTargetBranchUsed &&
+    !nonDefaultDeploysAllowed
   ) {
-    message = `### ⚠️ Cannot proceed with deployment\n\nThis pull request is attempting to merge into the \`${baseRef}\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`). This deployment has been rejected since it could be dangerous to proceed.`
-    return {message: message, status: false}
+    return {
+      message: `### ⚠️ Cannot proceed with deployment\n\nThis pull request is attempting to merge into the \`${baseRef}\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`). This deployment has been rejected since it could be dangerous to proceed.`,
+      status: false
+    }
+  }
+
+  if (
+    isNotStableBranchDeploy &&
+    nonDefaultTargetBranchUsed &&
+    nonDefaultDeploysAllowed &&
+    securityWarningsEnabled
+  ) {
+    core.warning(
+      `🚨 this pull request is attempting to merge into the \`${baseRef}\` branch which is not the default branch of this repository (\`${data.inputs.stable_branch}\`) - this action is potentially dangerous`
+    )
   }
 
   // Determine whether to use the ref or sha depending on if the PR is from a fork or not
