RubyGems - dependabot-docker - Versions diffs - 0.382.0 → 0.383.0 - Mend

dependabot-docker 0.382.0 → 0.383.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

checksums.yaml +4 -4
data/lib/dependabot/docker/update_checker.rb +117 -2
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c3c3a9d65ba79f649da1e2078a73d446587e67b3b78ccca293710fd8a08c417
-  data.tar.gz: d6862a5fd24ceab65a80f42b555d0d2219585a371464b7774c52f5b369dcc3aa
+  metadata.gz: '0200408166a023ea4720b018f90dda3232304f7b5f1abec28dd8dbb9bf2b3f0e'
+  data.tar.gz: 99f2b3c7a81588a396ca4fc38b1cb9ce9d5907f455122f7b3285fc84c92afe51
 SHA512:
-  metadata.gz: 73acf20b4b759b7987898616686b1edbb423541b0b7c259c4568f8fd66c4b5c336cb7dc8fdbf83e1e054a458a4a3f0d04c9d6b605180416ba6ccfa5092ca6b59
-  data.tar.gz: d674d576671aa6d270fc8d80db56c62dc46cb026f38342e3fdc83ede3204a517c7d4960d503cd9c45641d10cb7f10e6076c62488c7a2c53b0db4464facce0a3a
+  metadata.gz: b4eb568dd7249d487a42415564920512f63d953049334e64ec09171435385b48365e0934c8d392b8d7033d743f33b887fb4de1548e1c25db65e355cd2e9cf798
+  data.tar.gz: 517a96c97e6b74ed9873be9d49cbdf0913204f2111f4191c18a22a9c6c9e37c9665760a70662f84e4c87b65607b710414d871109fd72dc68d64f58f0f56795ea

data/lib/dependabot/docker/update_checker.rb CHANGED Viewed

@@ -263,6 +263,7 @@ module Dependabot
         # (which requires a call to the registry for each tag, so can be slow)
         candidate_tags = comparable_tags_from_registry(version_tag)
         candidate_tags = remove_version_downgrades(candidate_tags, version_tag)
+        candidate_tags = remove_more_precise_tags(candidate_tags, version_tag)
         candidate_tags = remove_prereleases(candidate_tags, version_tag)
         candidate_tags = filter_ignored(candidate_tags)
         candidate_tags = sort_tags(candidate_tags, version_tag)
@@ -285,14 +286,26 @@ module Dependabot
         candidate_tags.reverse_each do |candidate|
           selected = select_tag_with_precision(candidate, same_precision_tags, version_tag)
+          # Content check (runs regardless of experiments): if the candidate tag
+          # resolves to the exact same image contents as the current tag, there
+          # is no real update to make. This catches rolling tags (e.g. "9.0")
+          # that point to the same image as a pinned tag (e.g. "9.0.11").
+          if selected.name != version_tag.name && same_image_contents?(selected, version_tag)
+            Dependabot.logger.info(
+              "Digest check: #{selected.name} has the same image contents as #{version_tag.name} " \
+              "— no update needed, staying on #{version_tag.name}"
+            )
+            next
+          end
           if Dependabot::Experiments.enabled?(:docker_created_timestamp_validation) &&
              selected.name != version_tag.name
             if validation_attempts >= MAX_PLATFORM_VALIDATION_ATTEMPTS
               Dependabot.logger.info(
                 "Platform validation: reached max attempts (#{MAX_PLATFORM_VALIDATION_ATTEMPTS}), " \
-                "accepting #{selected.name} without timestamp check"
+                "skipping #{selected.name} — continuing to find a validated candidate"
               )
-              return selected
+              next
             end
             validation_attempts += 1
           end
@@ -562,6 +575,26 @@ module Dependabot
         end
       end
+      # When the current tag pins only the major or major.minor version (e.g.
+      # "9.0"), a candidate that additionally specifies a patch version (e.g.
+      # "9.0.17") is not a wanted upgrade: pinning the less precise tag opts into
+      # a rolling tag, so the patch should not be specified for them. Only true
+      # semver tags (":normal" format) are filtered here — build-number and date
+      # based formats have their own comparability rules and are left untouched.
+      sig do
+        params(
+          candidate_tags: T::Array[Dependabot::Docker::Tag],
+          version_tag: Dependabot::Docker::Tag
+        )
+          .returns(T::Array[Dependabot::Docker::Tag])
+      end
+      def remove_more_precise_tags(candidate_tags, version_tag)
+        return candidate_tags unless version_tag.format == :normal
+        return candidate_tags if version_tag.precision > 2
+        candidate_tags.select { |tag| tag.precision <= version_tag.precision }
+      end
       sig do
         params(
           candidate_tags: T::Array[Dependabot::Docker::Tag],
@@ -1083,6 +1116,80 @@ module Dependabot
         candidate_created > current_created
       end
+      # Returns true when the candidate tag and current tag reference the exact
+      # same image contents. Only multi-arch (manifest list) images are compared
+      # here, by checking that both tags expose the identical set of platforms
+      # with matching per-platform manifest digests. For single-platform images this
+      # returns false (empty digest map), so this check is effectively a no-op and
+      # we fall back to the existing semver/precision selection logic.
+      sig do
+        params(
+          candidate_tag: Dependabot::Docker::Tag,
+          current_tag: Dependabot::Docker::Tag
+        ).returns(T::Boolean)
+      end
+      def same_image_contents?(candidate_tag, current_tag)
+        current_digests = fetch_platform_digests(current_tag.name)
+        return false if current_digests.empty?
+        candidate_digests = fetch_platform_digests(candidate_tag.name)
+        return false if candidate_digests.empty?
+        # The contents are unchanged only when both tags expose the exact same set
+        # of platforms with identical per-platform manifest digests. A candidate
+        # with extra platforms is a different image and must not match.
+        current_digests == candidate_digests
+      end
+      # Fetches a map of platform key (e.g. "linux/amd64") to platform manifest
+      # digest for a tag's manifest list. Returns an empty hash for single-platform
+      # images or when the manifest can't be fetched.
+      sig { params(tag_name: String).returns(T::Hash[String, String]) }
+      def fetch_platform_digests(tag_name)
+        return T.must(platform_digests_cache[tag_name]) if platform_digests_cache.key?(tag_name)
+        digests = fetch_platform_digests_from_registry(tag_name)
+        platform_digests_cache[tag_name] = digests
+        digests
+      rescue *transient_docker_errors, DockerRegistry2::RegistryAuthenticationException,
+             RestClient::Forbidden, RestClient::TooManyRequests, JSON::ParserError => e
+        Dependabot.logger.info(
+          "Failed to fetch platform digests for #{docker_repo_name}:#{tag_name}: #{e.message}"
+        )
+        platform_digests_cache[tag_name] = {}
+        {}
+      end
+      sig { params(tag_name: String).returns(T::Hash[String, String]) }
+      def fetch_platform_digests_from_registry(tag_name)
+        manifest = with_retries(max_attempts: 3, errors: transient_docker_errors) do
+          docker_registry_client.manifest(docker_repo_name, tag_name)
+        end
+        media_type = manifest["mediaType"] || manifest[:mediaType]
+        return {} unless MANIFEST_LIST_TYPES.include?(media_type)
+        manifests = manifest["manifests"] || manifest[:manifests] || []
+        collect_platform_digests(manifests)
+      end
+      sig { params(manifests: T.untyped).returns(T::Hash[String, String]) }
+      def collect_platform_digests(manifests)
+        digests = {}
+        manifests.each do |m|
+          platform = extract_platform(m)
+          next unless platform
+          digest = m["digest"] || m[:digest]
+          next unless digest
+          digests[platform_key(platform)] = digest
+        end
+        digests
+      end
       # Fetches the platform entries from a manifest list for a given tag.
       # Returns nil if the tag is a single-platform image (not a manifest list).
       sig { params(tag_name: String).returns(T.nilable(T::Array[T::Hash[String, T.untyped]])) }
@@ -1218,6 +1325,14 @@ module Dependabot
         )
       end
+      sig { returns(T::Hash[String, T::Hash[String, String]]) }
+      def platform_digests_cache
+        @platform_digests_cache ||= T.let(
+          {},
+          T.nilable(T::Hash[String, T::Hash[String, String]])
+        )
+      end
       sig { returns(T::Hash[String, T.nilable(Time)]) }
       def config_created_timestamps
         @config_created_timestamps ||= T.let(

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -266,7 +266,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib