dependabot-github_actions 0.145.2 → 0.147.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc113c18f7e67041264e28282854419adb928cd11bad3ae3378619a3da775d4a
-  data.tar.gz: 8bb56ec6644ad24643f83c32dfd0dbe7f2407ff098509d20a71604ddba9a7171
+  metadata.gz: 3d131c78837434680d6708662713baca159b3f92c97bf9739da130a0b8947da8
+  data.tar.gz: 91e153ba0b1ed6a6d57d1cf7f156f388998357a600cc29ceca135fc8b5532283
 SHA512:
-  metadata.gz: cc87f2b17a5f671d8d13e064595d421a27b6ac7b0a113f42949c0573d083472f1edf64a1dde317bf1be410aecff80747d79718af6d50a0b84dc922bdbf87e8e8
-  data.tar.gz: 767765ad6f776eaa92290e402f78c4ce95a3525bfe9adfe24e8d00e62cb9c6d2167691a523d9466a9c299548e427311d00d7308d26ccaed794e46dcca7f8959c
+  metadata.gz: 89a2af943fdee5119ed02bf5bfe128fff0a32e5255811a7ac7d1027e589dee8c5fb2a4116afc284fad6e0b7bc56583e1ff753507b8b985962cb83dbcc35be0db
+  data.tar.gz: 0ea1dc2ddb5b7c891ea4c72ff88b3a9de3ceae986c8e5a11c66afbb0e2cbd233b4f3954fc273a513d8bf40d73455c94e97e6bcbc079146bd6968c43787d014f0

data/lib/dependabot/github_actions/file_parser.rb

@@ -30,6 +30,7 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
 
+        resolve_git_tags(dependency_set)
         dependency_set.dependencies
       end
 
@@ -56,16 +57,18 @@ module Dependabot
         name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
         url = "https://github.com/#{name}"
 
+        ref = details.fetch("ref")
+        version = version_class.new(ref).to_s if version_class.correct?(ref)
         Dependency.new(
           name: name,
-          version: nil,
+          version: version,
           requirements: [{
             requirement: nil,
             groups: [],
             source: {
               type: "git",
               url: url,
-              ref: details.fetch("ref"),
+              ref: ref,
               branch: nil
             },
             file: file.name,
@@ -83,6 +86,25 @@ module Dependabot
         end
       end
 
+      def resolve_git_tags(dependency_set)
+        # Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
+        resolved = dependency_set.dependencies.map do |dep|
+          next unless dep.version.nil?
+
+          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
+          next unless git_checker.pinned_ref_looks_like_commit_sha?
+
+          resolved = git_checker.local_tag_for_pinned_version
+          next if resolved.nil? || !version_class.correct?(resolved)
+
+          # Build a Dependency with the resolved version, and rely on DependencySet's merge
+          Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
+                         package_manager: dep.package_manager, requirements: [])
+        end
+
+        resolved.compact.each { |dep| dependency_set << dep }
+      end
+
       def deep_fetch_uses_from_hash(json_object)
         steps = json_object.fetch("steps", [])
 
@@ -111,6 +133,10 @@ module Dependabot
 
         raise "No workflow files!"
       end
+
+      def version_class
+        GithubActions::Version
+      end
     end
   end
 end

data/lib/dependabot/github_actions/update_checker.rb

@@ -62,12 +62,14 @@ module Dependabot
         return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
 
         # If the dependency is pinned to a tag that looks like a version then
-        # we want to update that tag. The latest version will then be the SHA
-        # of the latest tag that looks like a version.
+        # we want to update that tag.
         if git_commit_checker.pinned_ref_looks_like_version? &&
            git_commit_checker.local_tag_for_latest_version
           latest_tag = git_commit_checker.local_tag_for_latest_version
-          return latest_tag.fetch(:commit_sha)
+          latest_version = latest_tag.fetch(:version)
+          return version_class.new(dependency.version) if shortened_semver_eq?(dependency.version, latest_version.to_s)
+
+          return latest_version
         end
 
         # If the dependency is pinned to a commit SHA and the latest
@@ -140,6 +142,16 @@ module Dependabot
           raise_on_ignored: raise_on_ignored
         )
       end
+
+      def shortened_semver_eq?(base, other)
+        return false unless base
+
+        base_split = base.split(".")
+        other_split = other.split(".")
+        return false unless base_split.length <= other_split.length
+
+        other_split[0..base_split.length - 1] == base_split
+      end
     end
   end
 end

data/lib/dependabot/github_actions/version.rb

@@ -5,6 +5,21 @@ require "dependabot/utils"
 module Dependabot
   module GithubActions
     class Version < Gem::Version
+      def initialize(version)
+        version = Version.remove_leading_v(version)
+        super
+      end
+
+      def self.remove_leading_v(version)
+        return version unless version.to_s.match?(/\Av([0-9])/)
+
+        version.to_s.gsub(/\Av/, "")
+      end
+
+      def self.correct?(version)
+        version = Version.remove_leading_v(version)
+        super
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.145.2
+  version: 0.147.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-07 00:00:00.000000000 Z
+date: 2021-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.145.2
+        version: 0.147.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.145.2
+        version: 0.147.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement