dependabot-github_actions 0.145.2 → 0.147.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3d131c78837434680d6708662713baca159b3f92c97bf9739da130a0b8947da8
|
4
|
+
data.tar.gz: 91e153ba0b1ed6a6d57d1cf7f156f388998357a600cc29ceca135fc8b5532283
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 89a2af943fdee5119ed02bf5bfe128fff0a32e5255811a7ac7d1027e589dee8c5fb2a4116afc284fad6e0b7bc56583e1ff753507b8b985962cb83dbcc35be0db
|
7
|
+
data.tar.gz: 0ea1dc2ddb5b7c891ea4c72ff88b3a9de3ceae986c8e5a11c66afbb0e2cbd233b4f3954fc273a513d8bf40d73455c94e97e6bcbc079146bd6968c43787d014f0
|
@@ -30,6 +30,7 @@ module Dependabot
|
|
30
30
|
dependency_set += workfile_file_dependencies(file)
|
31
31
|
end
|
32
32
|
|
33
|
+
resolve_git_tags(dependency_set)
|
33
34
|
dependency_set.dependencies
|
34
35
|
end
|
35
36
|
|
@@ -56,16 +57,18 @@ module Dependabot
|
|
56
57
|
name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
|
57
58
|
url = "https://github.com/#{name}"
|
58
59
|
|
60
|
+
ref = details.fetch("ref")
|
61
|
+
version = version_class.new(ref).to_s if version_class.correct?(ref)
|
59
62
|
Dependency.new(
|
60
63
|
name: name,
|
61
|
-
version:
|
64
|
+
version: version,
|
62
65
|
requirements: [{
|
63
66
|
requirement: nil,
|
64
67
|
groups: [],
|
65
68
|
source: {
|
66
69
|
type: "git",
|
67
70
|
url: url,
|
68
|
-
ref:
|
71
|
+
ref: ref,
|
69
72
|
branch: nil
|
70
73
|
},
|
71
74
|
file: file.name,
|
@@ -83,6 +86,25 @@ module Dependabot
|
|
83
86
|
end
|
84
87
|
end
|
85
88
|
|
89
|
+
def resolve_git_tags(dependency_set)
|
90
|
+
# Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
|
91
|
+
resolved = dependency_set.dependencies.map do |dep|
|
92
|
+
next unless dep.version.nil?
|
93
|
+
|
94
|
+
git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
|
95
|
+
next unless git_checker.pinned_ref_looks_like_commit_sha?
|
96
|
+
|
97
|
+
resolved = git_checker.local_tag_for_pinned_version
|
98
|
+
next if resolved.nil? || !version_class.correct?(resolved)
|
99
|
+
|
100
|
+
# Build a Dependency with the resolved version, and rely on DependencySet's merge
|
101
|
+
Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
|
102
|
+
package_manager: dep.package_manager, requirements: [])
|
103
|
+
end
|
104
|
+
|
105
|
+
resolved.compact.each { |dep| dependency_set << dep }
|
106
|
+
end
|
107
|
+
|
86
108
|
def deep_fetch_uses_from_hash(json_object)
|
87
109
|
steps = json_object.fetch("steps", [])
|
88
110
|
|
@@ -111,6 +133,10 @@ module Dependabot
|
|
111
133
|
|
112
134
|
raise "No workflow files!"
|
113
135
|
end
|
136
|
+
|
137
|
+
def version_class
|
138
|
+
GithubActions::Version
|
139
|
+
end
|
114
140
|
end
|
115
141
|
end
|
116
142
|
end
|
@@ -62,12 +62,14 @@ module Dependabot
|
|
62
62
|
return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
|
63
63
|
|
64
64
|
# If the dependency is pinned to a tag that looks like a version then
|
65
|
-
# we want to update that tag.
|
66
|
-
# of the latest tag that looks like a version.
|
65
|
+
# we want to update that tag.
|
67
66
|
if git_commit_checker.pinned_ref_looks_like_version? &&
|
68
67
|
git_commit_checker.local_tag_for_latest_version
|
69
68
|
latest_tag = git_commit_checker.local_tag_for_latest_version
|
70
|
-
|
69
|
+
latest_version = latest_tag.fetch(:version)
|
70
|
+
return version_class.new(dependency.version) if shortened_semver_eq?(dependency.version, latest_version.to_s)
|
71
|
+
|
72
|
+
return latest_version
|
71
73
|
end
|
72
74
|
|
73
75
|
# If the dependency is pinned to a commit SHA and the latest
|
@@ -140,6 +142,16 @@ module Dependabot
|
|
140
142
|
raise_on_ignored: raise_on_ignored
|
141
143
|
)
|
142
144
|
end
|
145
|
+
|
146
|
+
def shortened_semver_eq?(base, other)
|
147
|
+
return false unless base
|
148
|
+
|
149
|
+
base_split = base.split(".")
|
150
|
+
other_split = other.split(".")
|
151
|
+
return false unless base_split.length <= other_split.length
|
152
|
+
|
153
|
+
other_split[0..base_split.length - 1] == base_split
|
154
|
+
end
|
143
155
|
end
|
144
156
|
end
|
145
157
|
end
|
@@ -5,6 +5,21 @@ require "dependabot/utils"
|
|
5
5
|
module Dependabot
|
6
6
|
module GithubActions
|
7
7
|
class Version < Gem::Version
|
8
|
+
def initialize(version)
|
9
|
+
version = Version.remove_leading_v(version)
|
10
|
+
super
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.remove_leading_v(version)
|
14
|
+
return version unless version.to_s.match?(/\Av([0-9])/)
|
15
|
+
|
16
|
+
version.to_s.gsub(/\Av/, "")
|
17
|
+
end
|
18
|
+
|
19
|
+
def self.correct?(version)
|
20
|
+
version = Version.remove_leading_v(version)
|
21
|
+
super
|
22
|
+
end
|
8
23
|
end
|
9
24
|
end
|
10
25
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-github_actions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.147.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-05-
|
11
|
+
date: 2021-05-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.147.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.147.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|