RubyGems - dependabot-github_actions - Versions diffs - 0.214.0 → 0.216.0 - Mend

dependabot-github_actions 0.214.0 → 0.216.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/dependabot/github_actions/file_fetcher.rb +0 -6
data/lib/dependabot/github_actions/file_parser.rb +35 -24
data/lib/dependabot/github_actions/update_checker.rb +5 -5
data/lib/dependabot/github_actions/version.rb +2 -1
metadata +35 -32

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b3804334c168c6ac968941c3fd695443875744a48e66825e0247a10089003b77
-  data.tar.gz: 92571e11e014c22477a152c8035d77022df7faad94b303677788e937d31d6231
+  metadata.gz: f50d0f9ef87a92d54dcd28af02468c93ab84eb5f9108a1471cefd2d329d256f4
+  data.tar.gz: 408d6ec533ffe80eb5c1f0a26075654366cea3d1af5ceda65e1a0a7a38cdc758
 SHA512:
-  metadata.gz: 6397641d12b9fb86fbc34fec837b05c3669f9ebb3a96dd27fa2912098ac1f158dcf6f39995065a417013ba22e169931a4886c2e15109bcf446a4f83191ec03a4
-  data.tar.gz: d706bb33be9d40cd470c6977a6268887fddacbf799ea30b604a5569ac50347589b8acf25ad6f9d924ccd78c9ce31b515fe8564118dc1705825e6c73055265e6d
+  metadata.gz: 9af2df8aceeb3953a214ae35bf16da2fde043c5e1b6256c855b5d9511c259c87b57291a21ee7cad9f0e3d088fc9fafc4f350656228f76a7b58d6f3bd0005cf50
+  data.tar.gz: 42904c5ad4be0418b06a5b17afb476121e95f4df2c89a8e85a85df05f5b838474591b438111fe2410e72d3f9f52792749cd3c84b44b84cb26150c95937eabe87

data/lib/dependabot/github_actions/file_fetcher.rb CHANGED Viewed

@@ -21,7 +21,6 @@ module Dependabot
       def fetch_files
         fetched_files = []
         fetched_files += correctly_encoded_workflow_files
-        fetched_files += referenced_local_workflow_files
         return fetched_files if fetched_files.any?
@@ -66,11 +65,6 @@ module Dependabot
           map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
       end
-      def referenced_local_workflow_files
-        # TODO: Fetch referenced local workflow files
-        []
-      end
       def correctly_encoded_workflow_files
         workflow_files.select { |f| f.content.valid_encoding? }
       end

data/lib/dependabot/github_actions/file_parser.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Dependabot
       require "dependabot/file_parsers/base/dependency_set"
       GITHUB_REPO_REFERENCE = %r{
-        (?<owner>[\w.-]+)/
+        ^(?<owner>[\w.-]+)/
         (?<repo>[\w.-]+)
         (?<path>/[^\@]+)?
         @(?<ref>.+)
@@ -40,11 +40,19 @@ module Dependabot
         dependency_set = DependencySet.new
         json = YAML.safe_load(file.content, aliases: true)
-        uses_strings = deep_fetch_uses(json).uniq
+        return dependency_set if json.nil?
+        uses_strings = deep_fetch_uses(json.fetch("jobs", json.fetch("runs", nil))).uniq
         uses_strings.each do |string|
           # TODO: Support Docker references and path references
-          dependency_set << build_github_dependency(file, string) if string.match?(GITHUB_REPO_REFERENCE)
+          next unless string.match?(GITHUB_REPO_REFERENCE)
+          dep = build_github_dependency(file, string)
+          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
+          next unless git_checker.pinned?
+          dependency_set << dep
         end
         dependency_set
@@ -53,10 +61,18 @@ module Dependabot
       end
       def build_github_dependency(file, string)
+        unless source.hostname == "github.com"
+          dep = github_dependency(file, string, source.hostname)
+          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
+          return dep if git_checker.git_repo_reachable?
+        end
+        github_dependency(file, string, "github.com")
+      end
+      def github_dependency(file, string, hostname)
         details = string.match(GITHUB_REPO_REFERENCE).named_captures
         name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
-        url = "https://#{source.hostname}/#{name}"
         ref = details.fetch("ref")
         version = version_class.new(ref).to_s if version_class.correct?(ref)
         Dependency.new(
@@ -67,7 +83,7 @@ module Dependabot
             groups: [],
             source: {
               type: "git",
-              url: url,
+              url: "https://#{hostname}/#{name}",
               ref: ref,
               branch: nil
             },
@@ -78,10 +94,10 @@ module Dependabot
         )
       end
-      def deep_fetch_uses(json_obj)
+      def deep_fetch_uses(json_obj, found_uses = [])
         case json_obj
-        when Hash then deep_fetch_uses_from_hash(json_obj)
-        when Array then json_obj.flat_map { |o| deep_fetch_uses(o) }
+        when Hash then deep_fetch_uses_from_hash(json_obj, found_uses)
+        when Array then json_obj.flat_map { |o| deep_fetch_uses(o, found_uses) }
         else []
         end
       end
@@ -92,8 +108,6 @@ module Dependabot
           next unless dep.version.nil?
           git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
-          next unless git_checker.pinned_ref_looks_like_commit_sha?
           resolved = git_checker.local_tag_for_pinned_sha
           next if resolved.nil? || !version_class.correct?(resolved)
@@ -105,20 +119,17 @@ module Dependabot
         resolved.compact.each { |dep| dependency_set << dep }
       end
-      def deep_fetch_uses_from_hash(json_object)
-        steps = json_object.fetch("steps", [])
-        uses_strings =
-          if steps.is_a?(Array) && steps.all?(Hash)
-            steps.
-              map { |step| step.fetch("uses", nil) }.
-              select { |use| use.is_a?(String) }
-          else
-            []
-          end
+      def deep_fetch_uses_from_hash(json_object, found_uses)
+        if json_object.key?("uses")
+          found_uses << json_object["uses"]
+        elsif json_object.key?("steps")
+          # Bypass other fields as uses are under steps if they exist
+          deep_fetch_uses(json_object["steps"], found_uses)
+        else
+          json_object.values.flat_map { |obj| deep_fetch_uses(obj, found_uses) }
+        end
-        uses_strings +
-          json_object.values.flat_map { |obj| deep_fetch_uses(obj) }
+        found_uses
       end
       def workflow_files

data/lib/dependabot/github_actions/update_checker.rb CHANGED Viewed

@@ -33,10 +33,9 @@ module Dependabot
         lowest_security_fix_version
       end
-      def updated_requirements # rubocop:disable Metrics/PerceivedComplexity
+      def updated_requirements
         previous = dependency_source_details
         updated = updated_source
-        return dependency.requirements if updated == previous
         # Maintain a short git hash only if it matches the latest
         if previous[:type] == "git" &&
@@ -88,7 +87,7 @@ module Dependabot
         if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
           latest_version = latest_version_tag.fetch(:version)
-          return latest_commit_for_pinned_ref unless git_commit_checker.branch_or_ref_in_release?(latest_version)
+          return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha
           return latest_version
         end
@@ -199,7 +198,7 @@ module Dependabot
         new_tag = latest_version_tag
         return unless new_tag
-        if git_commit_checker.branch_or_ref_in_release?(new_tag.fetch(:version))
+        if git_commit_checker.local_tag_for_pinned_sha
           new_tag.fetch(:commit_sha)
         else
           latest_commit_for_pinned_ref
@@ -252,7 +251,8 @@ module Dependabot
       def find_container_branch(sha)
         branches_including_ref = SharedHelpers.run_shell_command(
-          "git branch --remotes --contains #{sha}"
+          "git branch --remotes --contains #{sha}",
+          fingerprint: "git branch --remotes --contains <sha>"
         ).split("\n").map { |branch| branch.strip.gsub("origin/", "") }
         current_branch = branches_including_ref.find { |branch| branch.start_with?("HEAD -> ") }

data/lib/dependabot/github_actions/version.rb CHANGED Viewed

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
+require "dependabot/version"
 require "dependabot/utils"
 module Dependabot
   module GithubActions
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       def initialize(version)
         version = Version.remove_leading_v(version)
         super

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.214.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-01 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-GitHub_Actions provides support for bumping GitHub Actions
+  via Dependabot. If you want support for multiple package managers, you probably
+  want the meta-gem dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -224,7 +225,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -240,8 +243,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: GitHub Actions support for dependabot-common
+summary: Provides Dependabot support for GitHub Actions
 test_files: []