dependabot-github_actions 0.145.0 → 0.146.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93086f58dfdd01d1d78c54d12afb7893dd8a94418717b5c72fffa0863bb937ac
-  data.tar.gz: 1eb01019601e6ed050c01687e55fc5319afc2da4e2dde62bd8cc7d31d20d330d
+  metadata.gz: 4b11317e1dad2358be56e6ef6a39a34b21203bb4892d8ede27b76bc1b9e26d2e
+  data.tar.gz: f5d866295306e58ea08f5f3be97fc3e1686d55f805fec4bb9e6335641f92b079
 SHA512:
-  metadata.gz: 1fa52dd6cf5bcf3f6a4bc44f522abf08abddcd975dbe90593513887b73502d13705c549047f54a49da244d4e0627e10d83ddc4142df76a9506515f11ac67ed95
-  data.tar.gz: f669b7544d9d6764c533271b75bda53f819422be103cbde932530e02b1be3ba21c4f21301e68962b20a71551d08fdf09df7d02a5bbfaa28657d204d098e8b251
+  metadata.gz: f468a43a7257f606736445fb21fc4a61869a6e0bd190940d09e9bee28bc631af8683aae0ad1c474764b23fe2394985f51bcc6067a0fe15d4bcd12de41b14b7bf
+  data.tar.gz: 8190e538cda08496ceeda4a6a23e0f66274df683ff38b68318577f2d0622397877f3852d77cb9281f8fcec21d8da1d303fd13ddcf0fecfed796f39346203688d

data/lib/dependabot/github_actions/file_parser.rb

@@ -30,6 +30,7 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
 
+        resolve_git_tags(dependency_set)
         dependency_set.dependencies
       end
 
@@ -56,16 +57,18 @@ module Dependabot
         name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
         url = "https://github.com/#{name}"
 
+        ref = details.fetch("ref")
+        version = version_class.new(ref).to_s if version_class.correct?(ref)
         Dependency.new(
           name: name,
-          version: nil,
+          version: version,
           requirements: [{
             requirement: nil,
             groups: [],
             source: {
               type: "git",
               url: url,
-              ref: details.fetch("ref"),
+              ref: ref,
               branch: nil
             },
             file: file.name,
@@ -83,6 +86,25 @@ module Dependabot
         end
       end
 
+      def resolve_git_tags(dependency_set)
+        # Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
+        resolved = dependency_set.dependencies.map do |dep|
+          next unless dep.version.nil?
+
+          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
+          next unless git_checker.pinned_ref_looks_like_commit_sha?
+
+          resolved = git_checker.local_tag_for_pinned_version
+          next if resolved.nil? || !version_class.correct?(resolved)
+
+          # Build a Dependency with the resolved version, and rely on DependencySet's merge
+          Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
+                         package_manager: dep.package_manager, requirements: [])
+        end
+
+        resolved.compact.each { |dep| dependency_set << dep }
+      end
+
       def deep_fetch_uses_from_hash(json_object)
         steps = json_object.fetch("steps", [])
 
@@ -111,6 +133,10 @@ module Dependabot
 
         raise "No workflow files!"
       end
+
+      def version_class
+        GithubActions::Version
+      end
     end
   end
 end

data/lib/dependabot/github_actions/update_checker.rb

@@ -62,12 +62,12 @@ module Dependabot
         return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
 
         # If the dependency is pinned to a tag that looks like a version then
-        # we want to update that tag. The latest version will then be the SHA
-        # of the latest tag that looks like a version.
+        # we want to update that tag.
+
         if git_commit_checker.pinned_ref_looks_like_version? &&
            git_commit_checker.local_tag_for_latest_version
           latest_tag = git_commit_checker.local_tag_for_latest_version
-          return latest_tag.fetch(:commit_sha)
+          return latest_tag.fetch(:version)
         end
 
         # If the dependency is pinned to a commit SHA and the latest

data/lib/dependabot/github_actions/version.rb

@@ -5,6 +5,21 @@ require "dependabot/utils"
 module Dependabot
   module GithubActions
     class Version < Gem::Version
+      def initialize(version)
+        version = Version.remove_leading_v(version)
+        super
+      end
+
+      def self.remove_leading_v(version)
+        return version unless version.to_s.match?(/\Av([0-9])/)
+
+        version.to_s.gsub(/\Av/, "")
+      end
+
+      def self.correct?(version)
+        version = Version.remove_leading_v(version)
+        super
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.145.0
+  version: 0.146.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-05 00:00:00.000000000 Z
+date: 2021-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.145.0
+        version: 0.146.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.145.0
+        version: 0.146.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: 1.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: 1.14.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement