dependabot-docker 0.377.0 → 0.379.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/docker/update_checker.rb +33 -5
- data/lib/dependabot/docker_compose/file_updater.rb +12 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d88012ff199df5eaf98766380b8615df8a81dfdc2730dd49f824fd47850f41b4
|
|
4
|
+
data.tar.gz: 985452621d56616c424a629f1c06a573a9254281fecbe4fb647cce173adf5cad
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 29010cda214cb8e22a749ec33bed8ba0a1ceccd91db831f9ce864c518ffacbe7dd8b7f3e73f9b64337a213bd6d3bcae8308fb03b7fb7d4b1eafa70739a54bea3
|
|
7
|
+
data.tar.gz: b26bb3a77b99f9162ce152cd7b7e7390174c9b65c518c5c53cee8836e732b60448d81f38b410c33b0d7c189e3a0a32b0094bf8e2ad4cdfb1157019bfdf5378e8
|
|
@@ -213,6 +213,18 @@ module Dependabot
|
|
|
213
213
|
expected_digest =
|
|
214
214
|
if source_tag
|
|
215
215
|
latest_tag = latest_tag_from(source_tag)
|
|
216
|
+
|
|
217
|
+
# When digest-only updates are suppressed and the tag hasn't changed,
|
|
218
|
+
# treat the digest as up-to-date to avoid proposing a PR that only
|
|
219
|
+
# bumps the digest without a corresponding version change.
|
|
220
|
+
# Only apply to comparable (versioned) tags — non-comparable tags like
|
|
221
|
+
# "latest" or distro codenames should still get digest updates.
|
|
222
|
+
if Dependabot::Experiments.enabled?(:docker_digest_only_update_suppression) &&
|
|
223
|
+
Tag.new(source_tag).comparable? &&
|
|
224
|
+
latest_tag.name == source_tag
|
|
225
|
+
next true
|
|
226
|
+
end
|
|
227
|
+
|
|
216
228
|
digest_of(latest_tag.name)
|
|
217
229
|
else
|
|
218
230
|
updated_digest
|
|
@@ -374,7 +386,9 @@ module Dependabot
|
|
|
374
386
|
candidate_tags.reverse_each do |tag|
|
|
375
387
|
details = publication_detail(tag)
|
|
376
388
|
|
|
377
|
-
|
|
389
|
+
# If we can't determine publication details, skip cooldown for this tag and use it
|
|
390
|
+
# rather than blocking the update when the registry doesn't support the required API calls
|
|
391
|
+
return [tag] if !details || !details.released_at
|
|
378
392
|
|
|
379
393
|
return [tag] unless cooldown_period?(T.must(details.released_at), tag)
|
|
380
394
|
|
|
@@ -389,7 +403,7 @@ module Dependabot
|
|
|
389
403
|
return publication_details[candidate_tag.name] if publication_details.key?(candidate_tag.name)
|
|
390
404
|
|
|
391
405
|
details = get_tag_publication_details(candidate_tag)
|
|
392
|
-
publication_details[candidate_tag.name] =
|
|
406
|
+
publication_details[candidate_tag.name] = details
|
|
393
407
|
|
|
394
408
|
details
|
|
395
409
|
end
|
|
@@ -404,12 +418,17 @@ module Dependabot
|
|
|
404
418
|
first_digest = extract_digest_from_response(digest_info, tag)
|
|
405
419
|
return nil unless first_digest
|
|
406
420
|
|
|
407
|
-
|
|
421
|
+
# When digest_info is an Array the registry returned a manifest list
|
|
422
|
+
# (OCI image index) and the extracted digest points at a platform-
|
|
423
|
+
# specific *manifest*, not a blob. Use the correct endpoint so the
|
|
424
|
+
# HEAD request succeeds on registries like ghcr.io.
|
|
425
|
+
endpoint = digest_info.is_a?(Array) ? "manifests" : "blobs"
|
|
426
|
+
head_response = with_retries(max_attempts: 3, errors: transient_docker_errors) do
|
|
408
427
|
client = docker_registry_client
|
|
409
|
-
client.dohead "v2/#{docker_repo_name}
|
|
428
|
+
client.dohead "v2/#{docker_repo_name}/#{endpoint}/#{first_digest}"
|
|
410
429
|
end
|
|
411
430
|
|
|
412
|
-
last_modified =
|
|
431
|
+
last_modified = head_response.headers[:last_modified]
|
|
413
432
|
published_date = last_modified ? Time.parse(last_modified) : nil
|
|
414
433
|
|
|
415
434
|
Dependabot::Package::PackageRelease.new(
|
|
@@ -420,6 +439,15 @@ module Dependabot
|
|
|
420
439
|
url: nil,
|
|
421
440
|
package_type: "docker"
|
|
422
441
|
)
|
|
442
|
+
rescue *transient_docker_errors,
|
|
443
|
+
DockerRegistry2::RegistryAuthenticationException,
|
|
444
|
+
RestClient::Forbidden,
|
|
445
|
+
RestClient::TooManyRequests => e
|
|
446
|
+
Dependabot.logger.warn(
|
|
447
|
+
"Failed to fetch publication details for #{docker_repo_name}:#{tag.name}, " \
|
|
448
|
+
"skipping cooldown: #{e.class} - #{e.message}"
|
|
449
|
+
)
|
|
450
|
+
nil
|
|
423
451
|
end
|
|
424
452
|
|
|
425
453
|
sig do
|
|
@@ -29,7 +29,18 @@ module Dependabot
|
|
|
29
29
|
|
|
30
30
|
sig { override.params(escaped_declaration: String).returns(Regexp) }
|
|
31
31
|
def build_old_declaration_regex(escaped_declaration)
|
|
32
|
-
%r{
|
|
32
|
+
%r{
|
|
33
|
+
#{IMAGE_REGEX}
|
|
34
|
+
(?:[>|][-+]?\s*)? # optional YAML block scalar indicator (folded/literal)
|
|
35
|
+
\s+
|
|
36
|
+
["']?
|
|
37
|
+
(?:\$\{[^\}:]+:-)?
|
|
38
|
+
(docker\.io/)?
|
|
39
|
+
#{escaped_declaration}
|
|
40
|
+
(?:\})?
|
|
41
|
+
["']?
|
|
42
|
+
(?=\s|$)
|
|
43
|
+
}x
|
|
33
44
|
end
|
|
34
45
|
|
|
35
46
|
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-docker
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.379.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.379.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.379.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -266,7 +266,7 @@ licenses:
|
|
|
266
266
|
- MIT
|
|
267
267
|
metadata:
|
|
268
268
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
269
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
269
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.379.0
|
|
270
270
|
rdoc_options: []
|
|
271
271
|
require_paths:
|
|
272
272
|
- lib
|