dependabot-github_actions 0.246.0 → 0.247.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/github_actions/file_fetcher.rb +26 -7
- data/lib/dependabot/github_actions/file_parser.rb +16 -4
- data/lib/dependabot/github_actions/file_updater.rb +21 -8
- data/lib/dependabot/github_actions/metadata_finder.rb +6 -1
- data/lib/dependabot/github_actions/requirement.rb +6 -3
- data/lib/dependabot/github_actions/update_checker.rb +4 -3
- data/lib/dependabot/github_actions/version.rb +14 -2
- metadata +19 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e25c38f826f19e86d379f0903346ba8db11db2fe40e0c43c9ae2d035af69e7df
|
4
|
+
data.tar.gz: 4e19630e80e9191cacedb8cf979c44db73280352d5d52c7cdcf3ecb8524f5c10
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c8332f9dbb5440bea9372b020034d97fb6dcf6ccaa0b28481ffe48db8162ff9b4ab700f40a5a87dbe215801be15b9ac2976d1c8ba0e5779e2be85cc04bb18fb6
|
7
|
+
data.tar.gz: f5d3aa0845dedd44011490a7d4187f604d1d3466561155b8288d9cbd6b39ef93f4e99943abd9eb13ed0750cdd9ef12035cb245748a30d9f635da43847d967369
|
@@ -1,7 +1,8 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
5
|
+
|
5
6
|
require "dependabot/file_fetchers"
|
6
7
|
require "dependabot/file_fetchers/base"
|
7
8
|
|
@@ -13,14 +14,31 @@ module Dependabot
|
|
13
14
|
|
14
15
|
FILENAME_PATTERN = /\.ya?ml$/
|
15
16
|
|
17
|
+
sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
|
16
18
|
def self.required_files_in?(filenames)
|
17
19
|
filenames.any? { |f| f.match?(FILENAME_PATTERN) }
|
18
20
|
end
|
19
21
|
|
22
|
+
sig { override.returns(String) }
|
20
23
|
def self.required_files_message
|
21
24
|
"Repo must contain a .github/workflows directory with YAML files or an action.yml file"
|
22
25
|
end
|
23
26
|
|
27
|
+
sig do
|
28
|
+
override
|
29
|
+
.params(
|
30
|
+
source: Dependabot::Source,
|
31
|
+
credentials: T::Array[Dependabot::Credential],
|
32
|
+
repo_contents_path: T.nilable(String),
|
33
|
+
options: T::Hash[String, String]
|
34
|
+
)
|
35
|
+
.void
|
36
|
+
end
|
37
|
+
def initialize(source:, credentials:, repo_contents_path: nil, options: {})
|
38
|
+
@workflow_files = T.let([], T::Array[DependencyFile])
|
39
|
+
super(source: source, credentials: credentials, repo_contents_path: repo_contents_path, options: options)
|
40
|
+
end
|
41
|
+
|
24
42
|
sig { override.returns(T::Array[DependencyFile]) }
|
25
43
|
def fetch_files
|
26
44
|
fetched_files = []
|
@@ -43,17 +61,16 @@ module Dependabot
|
|
43
61
|
else
|
44
62
|
raise(
|
45
63
|
Dependabot::DependencyFileNotParseable,
|
46
|
-
incorrectly_encoded_workflow_files.first.path
|
64
|
+
T.must(incorrectly_encoded_workflow_files.first).path
|
47
65
|
)
|
48
66
|
end
|
49
67
|
end
|
50
68
|
|
51
69
|
private
|
52
70
|
|
71
|
+
sig { returns(T::Array[DependencyFile]) }
|
53
72
|
def workflow_files
|
54
|
-
return @workflow_files
|
55
|
-
|
56
|
-
@workflow_files = []
|
73
|
+
return @workflow_files unless @workflow_files.empty?
|
57
74
|
|
58
75
|
# In the special case where the root directory is defined we also scan
|
59
76
|
# the .github/workflows/ folder.
|
@@ -71,12 +88,14 @@ module Dependabot
|
|
71
88
|
.map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
|
72
89
|
end
|
73
90
|
|
91
|
+
sig { returns(T::Array[DependencyFile]) }
|
74
92
|
def correctly_encoded_workflow_files
|
75
|
-
workflow_files.select { |f| f.content
|
93
|
+
workflow_files.select { |f| f.content&.valid_encoding? }
|
76
94
|
end
|
77
95
|
|
96
|
+
sig { returns(T::Array[DependencyFile]) }
|
78
97
|
def incorrectly_encoded_workflow_files
|
79
|
-
workflow_files.reject { |f| f.content
|
98
|
+
workflow_files.reject { |f| f.content&.valid_encoding? }
|
80
99
|
end
|
81
100
|
end
|
82
101
|
end
|
@@ -1,12 +1,13 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "sorbet-runtime"
|
4
5
|
require "yaml"
|
5
6
|
|
6
7
|
require "dependabot/dependency"
|
8
|
+
require "dependabot/errors"
|
7
9
|
require "dependabot/file_parsers"
|
8
10
|
require "dependabot/file_parsers/base"
|
9
|
-
require "dependabot/errors"
|
10
11
|
require "dependabot/github_actions/version"
|
11
12
|
|
12
13
|
# For docs, see
|
@@ -15,6 +16,8 @@ require "dependabot/github_actions/version"
|
|
15
16
|
module Dependabot
|
16
17
|
module GithubActions
|
17
18
|
class FileParser < Dependabot::FileParsers::Base
|
19
|
+
extend T::Set
|
20
|
+
|
18
21
|
require "dependabot/file_parsers/base/dependency_set"
|
19
22
|
|
20
23
|
GITHUB_REPO_REFERENCE = %r{
|
@@ -24,6 +27,7 @@ module Dependabot
|
|
24
27
|
@(?<ref>.+)
|
25
28
|
}x
|
26
29
|
|
30
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
27
31
|
def parse
|
28
32
|
dependency_set = DependencySet.new
|
29
33
|
|
@@ -36,10 +40,11 @@ module Dependabot
|
|
36
40
|
|
37
41
|
private
|
38
42
|
|
43
|
+
sig { params(file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
|
39
44
|
def workfile_file_dependencies(file)
|
40
45
|
dependency_set = DependencySet.new
|
41
46
|
|
42
|
-
json = YAML.safe_load(file.content, aliases: true, permitted_classes: [Date, Time, Symbol])
|
47
|
+
json = YAML.safe_load(T.must(file.content), aliases: true, permitted_classes: [Date, Time, Symbol])
|
43
48
|
return dependency_set if json.nil?
|
44
49
|
|
45
50
|
uses_strings = deep_fetch_uses(json.fetch("jobs", json.fetch("runs", nil))).uniq
|
@@ -81,6 +86,7 @@ module Dependabot
|
|
81
86
|
raise Dependabot::DependencyFileNotParseable, file.path
|
82
87
|
end
|
83
88
|
|
89
|
+
sig { params(file: Dependabot::DependencyFile, string: String).returns(Dependabot::Dependency) }
|
84
90
|
def build_github_dependency(file, string)
|
85
91
|
unless source&.hostname == "github.com"
|
86
92
|
dep = github_dependency(file, string, T.must(source).hostname)
|
@@ -91,8 +97,9 @@ module Dependabot
|
|
91
97
|
github_dependency(file, string, "github.com")
|
92
98
|
end
|
93
99
|
|
100
|
+
sig { params(file: Dependabot::DependencyFile, string: String, hostname: String).returns(Dependabot::Dependency) }
|
94
101
|
def github_dependency(file, string, hostname)
|
95
|
-
details = string.match(GITHUB_REPO_REFERENCE).named_captures
|
102
|
+
details = T.must(string.match(GITHUB_REPO_REFERENCE)).named_captures
|
96
103
|
name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
|
97
104
|
ref = details.fetch("ref")
|
98
105
|
version = version_class.new(ref).to_s if version_class.correct?(ref)
|
@@ -115,6 +122,7 @@ module Dependabot
|
|
115
122
|
)
|
116
123
|
end
|
117
124
|
|
125
|
+
sig { params(json_obj: T.untyped, found_uses: T::Array[String]).returns(T::Array[String]) }
|
118
126
|
def deep_fetch_uses(json_obj, found_uses = [])
|
119
127
|
case json_obj
|
120
128
|
when Hash then deep_fetch_uses_from_hash(json_obj, found_uses)
|
@@ -123,6 +131,7 @@ module Dependabot
|
|
123
131
|
end
|
124
132
|
end
|
125
133
|
|
134
|
+
sig { params(json_object: T::Hash[String, T.untyped], found_uses: T::Array[String]).returns(T::Array[String]) }
|
126
135
|
def deep_fetch_uses_from_hash(json_object, found_uses)
|
127
136
|
if json_object.key?("uses")
|
128
137
|
found_uses << json_object["uses"]
|
@@ -136,12 +145,14 @@ module Dependabot
|
|
136
145
|
found_uses
|
137
146
|
end
|
138
147
|
|
148
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
139
149
|
def workflow_files
|
140
150
|
# The file fetcher only fetches workflow files, so no need to
|
141
151
|
# filter here
|
142
152
|
dependency_files
|
143
153
|
end
|
144
154
|
|
155
|
+
sig { override.void }
|
145
156
|
def check_required_files
|
146
157
|
# Just check if there are any files at all.
|
147
158
|
return if dependency_files.any?
|
@@ -149,6 +160,7 @@ module Dependabot
|
|
149
160
|
raise "No workflow files!"
|
150
161
|
end
|
151
162
|
|
163
|
+
sig { returns(T.class_of(Dependabot::GithubActions::Version)) }
|
152
164
|
def version_class
|
153
165
|
GithubActions::Version
|
154
166
|
end
|
@@ -1,17 +1,23 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "sorbet-runtime"
|
5
|
+
|
6
|
+
require "dependabot/errors"
|
4
7
|
require "dependabot/file_updaters"
|
5
8
|
require "dependabot/file_updaters/base"
|
6
|
-
require "dependabot/errors"
|
7
9
|
|
8
10
|
module Dependabot
|
9
11
|
module GithubActions
|
10
12
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
13
|
+
extend T::Sig
|
14
|
+
|
15
|
+
sig { override.returns(T::Array[Regexp]) }
|
11
16
|
def self.updated_files_regex
|
12
17
|
[%r{\.github/workflows/.+\.ya?ml$}]
|
13
18
|
end
|
14
19
|
|
20
|
+
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
15
21
|
def updated_dependency_files
|
16
22
|
updated_files = []
|
17
23
|
|
@@ -33,11 +39,13 @@ module Dependabot
|
|
33
39
|
|
34
40
|
private
|
35
41
|
|
42
|
+
sig { returns(Dependabot::Dependency) }
|
36
43
|
def dependency
|
37
44
|
# GitHub Actions will only ever be updating a single dependency
|
38
|
-
dependencies.first
|
45
|
+
T.must(dependencies.first)
|
39
46
|
end
|
40
47
|
|
48
|
+
sig { override.void }
|
41
49
|
def check_required_files
|
42
50
|
# Just check if there are any files at all.
|
43
51
|
return if dependency_files.any?
|
@@ -45,25 +53,27 @@ module Dependabot
|
|
45
53
|
raise "No workflow files!"
|
46
54
|
end
|
47
55
|
|
56
|
+
# rubocop:disable Metrics/AbcSize
|
57
|
+
sig { params(file: Dependabot::DependencyFile).returns(String) }
|
48
58
|
def updated_workflow_file_content(file)
|
49
59
|
updated_requirement_pairs =
|
50
|
-
dependency.requirements.zip(dependency.previous_requirements)
|
60
|
+
dependency.requirements.zip(T.must(dependency.previous_requirements))
|
51
61
|
.reject do |new_req, old_req|
|
52
62
|
next true if new_req[:file] != file.name
|
53
63
|
|
54
|
-
new_req[:source] == old_req[:source]
|
64
|
+
new_req[:source] == T.must(old_req)[:source]
|
55
65
|
end
|
56
66
|
|
57
|
-
updated_content = file.content
|
67
|
+
updated_content = T.must(file.content)
|
58
68
|
|
59
69
|
updated_requirement_pairs.each do |new_req, old_req|
|
60
70
|
# TODO: Support updating Docker sources
|
61
71
|
next unless new_req.fetch(:source).fetch(:type) == "git"
|
62
72
|
|
63
|
-
old_ref = old_req.fetch(:source).fetch(:ref)
|
73
|
+
old_ref = T.must(old_req).fetch(:source).fetch(:ref)
|
64
74
|
new_ref = new_req.fetch(:source).fetch(:ref)
|
65
75
|
|
66
|
-
old_declaration = old_req.fetch(:metadata).fetch(:declaration_string)
|
76
|
+
old_declaration = T.must(old_req).fetch(:metadata).fetch(:declaration_string)
|
67
77
|
new_declaration =
|
68
78
|
old_declaration
|
69
79
|
.gsub(/@.*+/, "@#{new_ref}")
|
@@ -91,7 +101,9 @@ module Dependabot
|
|
91
101
|
|
92
102
|
updated_content
|
93
103
|
end
|
104
|
+
# rubocop:enable Metrics/AbcSize
|
94
105
|
|
106
|
+
sig { params(comment: T.nilable(String), old_ref: String, new_ref: String).returns(T.nilable(String)) }
|
95
107
|
def updated_version_comment(comment, old_ref, new_ref)
|
96
108
|
raise "No comment!" unless comment
|
97
109
|
|
@@ -110,6 +122,7 @@ module Dependabot
|
|
110
122
|
comment.gsub(previous_version, new_version)
|
111
123
|
end
|
112
124
|
|
125
|
+
sig { returns(T.class_of(Dependabot::GithubActions::Version)) }
|
113
126
|
def version_class
|
114
127
|
GithubActions::Version
|
115
128
|
end
|
@@ -1,14 +1,19 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "sorbet-runtime"
|
5
|
+
|
4
6
|
require "dependabot/metadata_finders"
|
5
7
|
require "dependabot/metadata_finders/base"
|
6
8
|
|
7
9
|
module Dependabot
|
8
10
|
module GithubActions
|
9
11
|
class MetadataFinder < Dependabot::MetadataFinders::Base
|
12
|
+
extend T::Sig
|
13
|
+
|
10
14
|
private
|
11
15
|
|
16
|
+
sig { override.returns(T.nilable(Dependabot::Source)) }
|
12
17
|
def look_up_source
|
13
18
|
info = dependency.requirements.filter_map { |r| r[:source] }.first
|
14
19
|
|
@@ -1,16 +1,18 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strong
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
5
5
|
|
6
|
+
require "dependabot/github_actions/version"
|
6
7
|
require "dependabot/requirement"
|
7
8
|
require "dependabot/utils"
|
8
|
-
require "dependabot/github_actions/version"
|
9
9
|
|
10
10
|
module Dependabot
|
11
11
|
module GithubActions
|
12
12
|
# Lifted from the bundler package manager
|
13
13
|
class Requirement < Dependabot::Requirement
|
14
|
+
extend T:: Sig
|
15
|
+
|
14
16
|
# For consistency with other languages, we define a requirements array.
|
15
17
|
# Ruby doesn't have an `OR` separator for requirements, so it always
|
16
18
|
# contains a single element.
|
@@ -21,9 +23,10 @@ module Dependabot
|
|
21
23
|
|
22
24
|
# Patches Gem::Requirement to make it accept requirement strings like
|
23
25
|
# "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
|
26
|
+
sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
|
24
27
|
def initialize(*requirements)
|
25
28
|
requirements = requirements.flatten.flat_map do |req_string|
|
26
|
-
req_string
|
29
|
+
req_string&.split(",")&.map(&:strip)
|
27
30
|
end
|
28
31
|
|
29
32
|
super(requirements)
|
@@ -2,12 +2,13 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
5
|
+
|
6
|
+
require "dependabot/errors"
|
7
|
+
require "dependabot/github_actions/requirement"
|
8
|
+
require "dependabot/github_actions/version"
|
5
9
|
require "dependabot/update_checkers"
|
6
10
|
require "dependabot/update_checkers/base"
|
7
11
|
require "dependabot/update_checkers/version_filters"
|
8
|
-
require "dependabot/errors"
|
9
|
-
require "dependabot/github_actions/version"
|
10
|
-
require "dependabot/github_actions/requirement"
|
11
12
|
|
12
13
|
module Dependabot
|
13
14
|
module GithubActions
|
@@ -1,23 +1,35 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strong
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
-
require "
|
4
|
+
require "sorbet-runtime"
|
5
|
+
|
5
6
|
require "dependabot/utils"
|
7
|
+
require "dependabot/version"
|
6
8
|
|
7
9
|
module Dependabot
|
8
10
|
module GithubActions
|
9
11
|
class Version < Dependabot::Version
|
12
|
+
extend T::Sig
|
13
|
+
|
14
|
+
sig { override.params(version: VersionParameter).void }
|
10
15
|
def initialize(version)
|
11
16
|
version = Version.remove_leading_v(version)
|
12
17
|
super
|
13
18
|
end
|
14
19
|
|
20
|
+
sig { override.params(version: VersionParameter).returns(Dependabot::GithubActions::Version) }
|
21
|
+
def self.new(version)
|
22
|
+
T.cast(super, Dependabot::GithubActions::Version)
|
23
|
+
end
|
24
|
+
|
25
|
+
sig { params(version: VersionParameter).returns(VersionParameter) }
|
15
26
|
def self.remove_leading_v(version)
|
16
27
|
return version unless version.to_s.match?(/\Av([0-9])/)
|
17
28
|
|
18
29
|
version.to_s.delete_prefix("v")
|
19
30
|
end
|
20
31
|
|
32
|
+
sig { override.params(version: VersionParameter).returns(T::Boolean) }
|
21
33
|
def self.correct?(version)
|
22
34
|
version = Version.remove_leading_v(version)
|
23
35
|
super
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-github_actions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.247.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-03-
|
11
|
+
date: 2024-03-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.247.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.247.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -136,6 +136,20 @@ dependencies:
|
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: 1.19.0
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: rubocop-rspec
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: 2.27.1
|
146
|
+
type: :development
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - "~>"
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 2.27.1
|
139
153
|
- !ruby/object:Gem::Dependency
|
140
154
|
name: rubocop-sorbet
|
141
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -241,7 +255,7 @@ licenses:
|
|
241
255
|
- Nonstandard
|
242
256
|
metadata:
|
243
257
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
244
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
258
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0
|
245
259
|
post_install_message:
|
246
260
|
rdoc_options: []
|
247
261
|
require_paths:
|