dependabot-github_actions 0.246.0 → 0.248.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ea5d2bcb3d5175949fd8237010915e51defac7def6d5a99b200f664d38d418e7
-  data.tar.gz: d54a2c9f3420f194caca4850d26e8b567f5929e8e1378c3c0316095c865e8d68
+  metadata.gz: c51e33d21cb62b26db192563d449bf7afd9f7015170966d6f75a7c7c43e5ee54
+  data.tar.gz: 0624e2d447e20d529deef6028800931c206c89bc8b72227ac1c32bcbd9b86ad9
 SHA512:
-  metadata.gz: acd1d7b894cf48f364be1f0344fd6925f8feed56df5155f5a544b0fb1cc68079daaf788e85bdd60ca8129a5c2eea33d2cf95229685b594952c76770871d7a790
-  data.tar.gz: f3304d2c1b609929620e8653007948f7b96b0b8c317e345a91be15126cfd90c251fbe336eba093b3d7c8dc9dd095652c62e3bf4a5f57c329ec9ff30183aac8a8
+  metadata.gz: 636b3abd52b9b0fe4ec1d3b4f303ad339fe5521757d7ddddb37687843d79e8a8a11983406ad9a52c2e16d53309c99eca880aa374886f6601ccbe04c521d41d10
+  data.tar.gz: 5e0466e0be28cbf009e3aa3ae7cab52a4e12ca715d539281463ab4677ae93fe43739a82b55c89c7aeb1fe106064b1924810c2e71b38145c1d1244fc752729059

data/lib/dependabot/github_actions/file_fetcher.rb

@@ -1,7 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
+
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 
@@ -13,14 +14,31 @@ module Dependabot
 
       FILENAME_PATTERN = /\.ya?ml$/
 
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
         filenames.any? { |f| f.match?(FILENAME_PATTERN) }
       end
 
+      sig { override.returns(String) }
       def self.required_files_message
         "Repo must contain a .github/workflows directory with YAML files or an action.yml file"
       end
 
+      sig do
+        override
+          .params(
+            source: Dependabot::Source,
+            credentials: T::Array[Dependabot::Credential],
+            repo_contents_path: T.nilable(String),
+            options: T::Hash[String, String]
+          )
+          .void
+      end
+      def initialize(source:, credentials:, repo_contents_path: nil, options: {})
+        @workflow_files = T.let([], T::Array[DependencyFile])
+        super(source: source, credentials: credentials, repo_contents_path: repo_contents_path, options: options)
+      end
+
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
         fetched_files = []
@@ -43,17 +61,16 @@ module Dependabot
         else
           raise(
             Dependabot::DependencyFileNotParseable,
-            incorrectly_encoded_workflow_files.first.path
+            T.must(incorrectly_encoded_workflow_files.first).path
           )
         end
       end
 
       private
 
+      sig { returns(T::Array[DependencyFile]) }
       def workflow_files
-        return @workflow_files if defined? @workflow_files
-
-        @workflow_files = []
+        return @workflow_files unless @workflow_files.empty?
 
         # In the special case where the root directory is defined we also scan
         # the .github/workflows/ folder.
@@ -71,12 +88,14 @@ module Dependabot
           .map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def correctly_encoded_workflow_files
-        workflow_files.select { |f| f.content.valid_encoding? }
+        workflow_files.select { |f| f.content&.valid_encoding? }
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def incorrectly_encoded_workflow_files
-        workflow_files.reject { |f| f.content.valid_encoding? }
+        workflow_files.reject { |f| f.content&.valid_encoding? }
       end
     end
   end

data/lib/dependabot/github_actions/file_parser.rb

@@ -1,12 +1,13 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "yaml"
 
 require "dependabot/dependency"
+require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
-require "dependabot/errors"
 require "dependabot/github_actions/version"
 
 # For docs, see
@@ -15,6 +16,8 @@ require "dependabot/github_actions/version"
 module Dependabot
   module GithubActions
     class FileParser < Dependabot::FileParsers::Base
+      extend T::Set
+
       require "dependabot/file_parsers/base/dependency_set"
 
       GITHUB_REPO_REFERENCE = %r{
@@ -24,6 +27,7 @@ module Dependabot
         @(?<ref>.+)
       }x
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
 
@@ -36,10 +40,11 @@ module Dependabot
 
       private
 
+      sig { params(file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
       def workfile_file_dependencies(file)
         dependency_set = DependencySet.new
 
-        json = YAML.safe_load(file.content, aliases: true, permitted_classes: [Date, Time, Symbol])
+        json = YAML.safe_load(T.must(file.content), aliases: true, permitted_classes: [Date, Time, Symbol])
         return dependency_set if json.nil?
 
         uses_strings = deep_fetch_uses(json.fetch("jobs", json.fetch("runs", nil))).uniq
@@ -81,6 +86,7 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable, file.path
       end
 
+      sig { params(file: Dependabot::DependencyFile, string: String).returns(Dependabot::Dependency) }
       def build_github_dependency(file, string)
         unless source&.hostname == "github.com"
           dep = github_dependency(file, string, T.must(source).hostname)
@@ -91,8 +97,9 @@ module Dependabot
         github_dependency(file, string, "github.com")
       end
 
+      sig { params(file: Dependabot::DependencyFile, string: String, hostname: String).returns(Dependabot::Dependency) }
       def github_dependency(file, string, hostname)
-        details = string.match(GITHUB_REPO_REFERENCE).named_captures
+        details = T.must(string.match(GITHUB_REPO_REFERENCE)).named_captures
         name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
         ref = details.fetch("ref")
         version = version_class.new(ref).to_s if version_class.correct?(ref)
@@ -115,6 +122,7 @@ module Dependabot
         )
       end
 
+      sig { params(json_obj: T.untyped, found_uses: T::Array[String]).returns(T::Array[String]) }
       def deep_fetch_uses(json_obj, found_uses = [])
         case json_obj
         when Hash then deep_fetch_uses_from_hash(json_obj, found_uses)
@@ -123,6 +131,7 @@ module Dependabot
         end
       end
 
+      sig { params(json_object: T::Hash[String, T.untyped], found_uses: T::Array[String]).returns(T::Array[String]) }
       def deep_fetch_uses_from_hash(json_object, found_uses)
         if json_object.key?("uses")
           found_uses << json_object["uses"]
@@ -136,12 +145,14 @@ module Dependabot
         found_uses
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def workflow_files
         # The file fetcher only fetches workflow files, so no need to
         # filter here
         dependency_files
       end
 
+      sig { override.void }
       def check_required_files
         # Just check if there are any files at all.
         return if dependency_files.any?
@@ -149,6 +160,7 @@ module Dependabot
         raise "No workflow files!"
       end
 
+      sig { returns(T.class_of(Dependabot::GithubActions::Version)) }
       def version_class
         GithubActions::Version
       end

data/lib/dependabot/github_actions/file_updater.rb

@@ -1,17 +1,23 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
+require "dependabot/errors"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
-require "dependabot/errors"
 
 module Dependabot
   module GithubActions
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [%r{\.github/workflows/.+\.ya?ml$}]
       end
 
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         updated_files = []
 
@@ -33,11 +39,13 @@ module Dependabot
 
       private
 
+      sig { returns(Dependabot::Dependency) }
       def dependency
         # GitHub Actions will only ever be updating a single dependency
-        dependencies.first
+        T.must(dependencies.first)
       end
 
+      sig { override.void }
       def check_required_files
         # Just check if there are any files at all.
         return if dependency_files.any?
@@ -45,25 +53,27 @@ module Dependabot
         raise "No workflow files!"
       end
 
+      # rubocop:disable Metrics/AbcSize
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
       def updated_workflow_file_content(file)
         updated_requirement_pairs =
-          dependency.requirements.zip(dependency.previous_requirements)
+          dependency.requirements.zip(T.must(dependency.previous_requirements))
                     .reject do |new_req, old_req|
             next true if new_req[:file] != file.name
 
-            new_req[:source] == old_req[:source]
+            new_req[:source] == T.must(old_req)[:source]
           end
 
-        updated_content = file.content
+        updated_content = T.must(file.content)
 
         updated_requirement_pairs.each do |new_req, old_req|
           # TODO: Support updating Docker sources
           next unless new_req.fetch(:source).fetch(:type) == "git"
 
-          old_ref = old_req.fetch(:source).fetch(:ref)
+          old_ref = T.must(old_req).fetch(:source).fetch(:ref)
           new_ref = new_req.fetch(:source).fetch(:ref)
 
-          old_declaration = old_req.fetch(:metadata).fetch(:declaration_string)
+          old_declaration = T.must(old_req).fetch(:metadata).fetch(:declaration_string)
           new_declaration =
             old_declaration
             .gsub(/@.*+/, "@#{new_ref}")
@@ -91,7 +101,9 @@ module Dependabot
 
         updated_content
       end
+      # rubocop:enable Metrics/AbcSize
 
+      sig { params(comment: T.nilable(String), old_ref: String, new_ref: String).returns(T.nilable(String)) }
       def updated_version_comment(comment, old_ref, new_ref)
         raise "No comment!" unless comment
 
@@ -110,6 +122,7 @@ module Dependabot
         comment.gsub(previous_version, new_version)
       end
 
+      sig { returns(T.class_of(Dependabot::GithubActions::Version)) }
       def version_class
         GithubActions::Version
       end

data/lib/dependabot/github_actions/metadata_finder.rb

@@ -1,14 +1,19 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 
 module Dependabot
   module GithubActions
     class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
+
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         info = dependency.requirements.filter_map { |r| r[:source] }.first
 

data/lib/dependabot/github_actions/requirement.rb

@@ -1,16 +1,18 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "sorbet-runtime"
 
+require "dependabot/github_actions/version"
 require "dependabot/requirement"
 require "dependabot/utils"
-require "dependabot/github_actions/version"
 
 module Dependabot
   module GithubActions
     # Lifted from the bundler package manager
     class Requirement < Dependabot::Requirement
+      extend T:: Sig
+
       # For consistency with other languages, we define a requirements array.
       # Ruby doesn't have an `OR` separator for requirements, so it always
       # contains a single element.
@@ -21,9 +23,10 @@ module Dependabot
 
       # Patches Gem::Requirement to make it accept requirement strings like
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
-          req_string.split(",").map(&:strip)
+          req_string&.split(",")&.map(&:strip)
         end
 
         super(requirements)

data/lib/dependabot/github_actions/update_checker.rb

@@ -2,12 +2,13 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
+
+require "dependabot/errors"
+require "dependabot/github_actions/requirement"
+require "dependabot/github_actions/version"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
 require "dependabot/update_checkers/version_filters"
-require "dependabot/errors"
-require "dependabot/github_actions/version"
-require "dependabot/github_actions/requirement"
 
 module Dependabot
   module GithubActions

data/lib/dependabot/github_actions/version.rb

@@ -1,23 +1,35 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
-require "dependabot/version"
+require "sorbet-runtime"
+
 require "dependabot/utils"
+require "dependabot/version"
 
 module Dependabot
   module GithubActions
     class Version < Dependabot::Version
+      extend T::Sig
+
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
         version = Version.remove_leading_v(version)
         super
       end
 
+      sig { override.params(version: VersionParameter).returns(Dependabot::GithubActions::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::GithubActions::Version)
+      end
+
+      sig { params(version: VersionParameter).returns(VersionParameter) }
       def self.remove_leading_v(version)
         return version unless version.to_s.match?(/\Av([0-9])/)
 
         version.to_s.delete_prefix("v")
       end
 
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         version = Version.remove_leading_v(version)
         super

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.246.0
+  version: 0.248.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-01 00:00:00.000000000 Z
+date: 2024-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.246.0
+        version: 0.248.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.246.0
+        version: 0.248.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +136,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.19.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -241,7 +255,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.246.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.248.0
 post_install_message: 
 rdoc_options: []
 require_paths: