RubyGems - dependabot-github_actions - Versions diffs - 0.263.0 → 0.265.0 - Mend

dependabot-github_actions 0.263.0 → 0.265.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

checksums.yaml +4 -4
data/lib/dependabot/github_actions/update_checker.rb +99 -42
metadata +5 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77c987cd33e2af55a21dca384154149521aa7dcecfcee60a0e32ee4588e4c62a
-  data.tar.gz: 0a225c19da84825d8e9b7f10938297f6ecb6ab939e730607b0381d7657b41000
+  metadata.gz: c6de0f2a6ed6e944094567831c689c06bcca886907d636f4a17a30af16b000da
+  data.tar.gz: 1f7106af8a783e4b20117cef5cb0a2b611fedf179edd06484abcbe333e0d85fe
 SHA512:
-  metadata.gz: 48be3e7d944101c48d18040af2cc45785af35b1ec4425bea23560ad2936cf660520c303fa7dee8cf41bb2000bb76a5825085043cdf6e77e556e5a2de59439cc1
-  data.tar.gz: 6ab68b6113756f81f883318e702d020cda30b261b997091240aa38f51b418263a6065626d23600459b8737fdb70e69a3cc68477d879dac4229ebcfc1c9b60e61
+  metadata.gz: 25a4dc08950c93db88140ff9b4090a8e1ac39084130cdb11d73348c4aa4f5c15a06aabcd50d1f698c5b0540427bdf4db72148939d4640261ff78148d0fe77b18
+  data.tar.gz: 0bd3845f51e3292ff1710d0458bb72165019667fd8ca230e95f80c0139198e09a649d214710409c66a9a2afd12674fad96ea6f1835d013e189e83a3106f0fed4

data/lib/dependabot/github_actions/update_checker.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "sorbet-runtime"
@@ -15,29 +15,41 @@ module Dependabot
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       extend T::Sig
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_version
-        @latest_version ||= fetch_latest_version
+        @latest_version ||= T.let(
+          fetch_latest_version,
+          T.nilable(T.any(String, Gem::Version))
+        )
       end
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
         # Resolvability isn't an issue for GitHub Actions.
         latest_version
       end
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_resolvable_version_with_no_unlock
         # No concept of "unlocking" for GitHub Actions (since no lockfile)
         dependency.version
       end
+      sig { override.returns(T.nilable(Dependabot::Version)) }
       def lowest_security_fix_version
-        @lowest_security_fix_version ||= fetch_lowest_security_fix_version
+        @lowest_security_fix_version ||= T.let(
+          fetch_lowest_security_fix_version,
+          T.nilable(Dependabot::Version)
+        )
       end
+      sig { override.returns(T.nilable(Dependabot::Version)) }
       def lowest_resolvable_security_fix_version
         # Resolvability isn't an issue for GitHub Actions.
         lowest_security_fix_version
       end
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         dependency.requirements.map do |req|
           source = req[:source]
@@ -61,21 +73,25 @@ module Dependabot
       private
+      sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
       def active_advisories
         security_advisories.select do |advisory|
           advisory.vulnerable?(version_class.new(git_commit_checker.most_specific_tag_equivalent_to_pinned_ref))
         end
       end
+      sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         # Full unlock checks aren't relevant for GitHub Actions
         false
       end
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         raise NotImplementedError
       end
+      sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
       def fetch_latest_version
         # TODO: Support Docker sources
         return unless git_dependency?
@@ -83,20 +99,21 @@ module Dependabot
         fetch_latest_version_for_git_dependency
       end
+      sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
       def fetch_latest_version_for_git_dependency
         return current_commit unless git_commit_checker.pinned?
         # If the dependency is pinned to a tag that looks like a version then
         # we want to update that tag.
         if git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
-          latest_version = latest_version_tag.fetch(:version)
+          latest_version = latest_version_tag&.fetch(:version)
           return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)
           return latest_version
         end
         if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
-          latest_version = latest_version_tag.fetch(:version)
+          latest_version = latest_version_tag&.fetch(:version)
           return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha
           return latest_version
@@ -107,6 +124,7 @@ module Dependabot
         nil
       end
+      sig { returns(T.nilable(Dependabot::Version)) }
       def fetch_lowest_security_fix_version
         # TODO: Support Docker sources
         return unless git_dependency?
@@ -114,23 +132,34 @@ module Dependabot
         fetch_lowest_security_fix_version_for_git_dependency
       end
+      sig { returns(T.nilable(Dependabot::Version)) }
       def fetch_lowest_security_fix_version_for_git_dependency
-        lowest_security_fix_version_tag.fetch(:version)
+        lowest_security_fix_version_tag&.fetch(:version)
       end
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def lowest_security_fix_version_tag
-        @lowest_security_fix_version_tag ||= begin
-          tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
-          lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
-          if lowest_fixed_version
-            lowest_fixed_version
-          else
-            tags = git_commit_checker.local_tags_for_allowed_versions
-            find_lowest_secure_version(tags)
-          end
-        end
+        @lowest_security_fix_version_tag ||= T.let(
+          begin
+            tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
+            lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
+            if lowest_fixed_version
+              lowest_fixed_version
+            else
+              tags = git_commit_checker.local_tags_for_allowed_versions
+              find_lowest_secure_version(tags)
+            end
+          end,
+          T.nilable(T::Hash[Symbol, String])
+        )
       end
+      sig do
+        params(
+          tags: T::Array[T::Hash[Symbol, T.untyped]]
+        )
+          .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+      end
       def find_lowest_secure_version(tags)
         relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
         relevant_tags = filter_lower_tags(relevant_tags)
@@ -138,40 +167,54 @@ module Dependabot
         relevant_tags.min_by { |tag| tag.fetch(:version) }
       end
+      sig { returns(T.nilable(String)) }
       def latest_commit_for_pinned_ref
-        @latest_commit_for_pinned_ref ||= begin
-          head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
-          if head_commit_for_ref_sha
-            head_commit_for_ref_sha
-          else
-            url = git_commit_checker.dependency_source_details[:url]
-            source = T.must(Source.from_url(url))
-            SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
-              repo_contents_path = File.join(temp_dir, File.basename(source.repo))
-              SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
-              Dir.chdir(repo_contents_path) do
-                ref_branch = find_container_branch(git_commit_checker.dependency_source_details[:ref])
-                git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
+        @latest_commit_for_pinned_ref ||= T.let(
+          begin
+            head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
+            if head_commit_for_ref_sha
+              head_commit_for_ref_sha
+            else
+              url = git_commit_checker.dependency_source_details&.fetch(:url)
+              source = T.must(Source.from_url(url))
+              SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
+                repo_contents_path = File.join(temp_dir, File.basename(source.repo))
+                SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
+                Dir.chdir(repo_contents_path) do
+                  ref_branch = find_container_branch(git_commit_checker.dependency_source_details&.fetch(:ref))
+                  git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
+                end
               end
             end
-          end
-        end
+          end,
+          T.nilable(String)
+        )
       end
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def latest_version_tag
-        @latest_version_tag ||= begin
-          return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
+        @latest_version_tag ||= T.let(
+          begin
+            return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
-          ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
-          return ref if ref && ref.fetch(:version) > current_version
+            ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
+            return ref if ref && ref.fetch(:version) > current_version
-          git_commit_checker.local_ref_for_latest_version_lower_precision
-        end
+            git_commit_checker.local_ref_for_latest_version_lower_precision
+          end,
+          T.nilable(T::Hash[Symbol, T.untyped])
+        )
       end
+      sig do
+        params(
+          tags_array: T::Array[T::Hash[Symbol, T.untyped]]
+        )
+          .returns(T::Array[T::Hash[Symbol, T.untyped]])
+      end
       def filter_lower_tags(tags_array)
         return tags_array unless current_version
@@ -179,6 +222,7 @@ module Dependabot
           .select { |tag| tag.fetch(:version) > current_version }
       end
+      sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(T.nilable(String)) }
       def updated_ref(source)
         # TODO: Support Docker sources
         return unless git_dependency?
@@ -206,6 +250,7 @@ module Dependabot
         nil
       end
+      sig { returns(T.nilable(String)) }
       def latest_commit_sha
         new_tag = latest_version_tag
         return unless new_tag
@@ -217,20 +262,30 @@ module Dependabot
         end
       end
+      sig { returns(T.nilable(String)) }
       def current_commit
         git_commit_checker.head_commit_for_current_branch
       end
+      sig { returns(T::Boolean) }
       def git_dependency?
         git_commit_checker.git_dependency?
       end
+      sig { returns(Dependabot::GitCommitChecker) }
       def git_commit_checker
-        @git_commit_checker ||= git_commit_checker_for(nil)
+        @git_commit_checker ||= T.let(
+          git_commit_checker_for(nil),
+          T.nilable(Dependabot::GitCommitChecker)
+        )
       end
+      sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(Dependabot::GitCommitChecker) }
       def git_commit_checker_for(source)
-        @git_commit_checkers ||= {}
+        @git_commit_checkers ||= T.let(
+          {},
+          T.nilable(T::Hash[T.nilable(T::Hash[Symbol, String]), Dependabot::GitCommitChecker])
+        )
         @git_commit_checkers[source] ||= Dependabot::GitCommitChecker.new(
           dependency: dependency,
@@ -242,6 +297,7 @@ module Dependabot
         )
       end
+      sig { params(base: T.nilable(String), other: String).returns(T::Boolean) }
       def shortened_semver_eq?(base, other)
         return false unless base
@@ -252,6 +308,7 @@ module Dependabot
         other_split[0..base_split.length - 1] == base_split
       end
+      sig { params(sha: String).returns(T.nilable(String)) }
       def find_container_branch(sha)
         branches_including_ref = SharedHelpers.run_shell_command(
           "git branch --remotes --contains #{sha}",

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.263.0
+  version: 0.265.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-27 00:00:00.000000000 Z
+date: 2024-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.263.0
+        version: 0.265.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.263.0
+        version: 0.265.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -255,7 +255,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.265.0
 post_install_message:
 rdoc_options: []
 require_paths: