dependabot-github_actions 0.264.0 → 0.265.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/github_actions/update_checker.rb +99 -42
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c6de0f2a6ed6e944094567831c689c06bcca886907d636f4a17a30af16b000da
|
|
4
|
+
data.tar.gz: 1f7106af8a783e4b20117cef5cb0a2b611fedf179edd06484abcbe333e0d85fe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 25a4dc08950c93db88140ff9b4090a8e1ac39084130cdb11d73348c4aa4f5c15a06aabcd50d1f698c5b0540427bdf4db72148939d4640261ff78148d0fe77b18
|
|
7
|
+
data.tar.gz: 0bd3845f51e3292ff1710d0458bb72165019667fd8ca230e95f80c0139198e09a649d214710409c66a9a2afd12674fad96ea6f1835d013e189e83a3106f0fed4
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "sorbet-runtime"
|
|
@@ -15,29 +15,41 @@ module Dependabot
|
|
|
15
15
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
16
16
|
extend T::Sig
|
|
17
17
|
|
|
18
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
18
19
|
def latest_version
|
|
19
|
-
@latest_version ||=
|
|
20
|
+
@latest_version ||= T.let(
|
|
21
|
+
fetch_latest_version,
|
|
22
|
+
T.nilable(T.any(String, Gem::Version))
|
|
23
|
+
)
|
|
20
24
|
end
|
|
21
25
|
|
|
26
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
22
27
|
def latest_resolvable_version
|
|
23
28
|
# Resolvability isn't an issue for GitHub Actions.
|
|
24
29
|
latest_version
|
|
25
30
|
end
|
|
26
31
|
|
|
32
|
+
sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
|
|
27
33
|
def latest_resolvable_version_with_no_unlock
|
|
28
34
|
# No concept of "unlocking" for GitHub Actions (since no lockfile)
|
|
29
35
|
dependency.version
|
|
30
36
|
end
|
|
31
37
|
|
|
38
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
|
32
39
|
def lowest_security_fix_version
|
|
33
|
-
@lowest_security_fix_version ||=
|
|
40
|
+
@lowest_security_fix_version ||= T.let(
|
|
41
|
+
fetch_lowest_security_fix_version,
|
|
42
|
+
T.nilable(Dependabot::Version)
|
|
43
|
+
)
|
|
34
44
|
end
|
|
35
45
|
|
|
46
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
|
36
47
|
def lowest_resolvable_security_fix_version
|
|
37
48
|
# Resolvability isn't an issue for GitHub Actions.
|
|
38
49
|
lowest_security_fix_version
|
|
39
50
|
end
|
|
40
51
|
|
|
52
|
+
sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
41
53
|
def updated_requirements
|
|
42
54
|
dependency.requirements.map do |req|
|
|
43
55
|
source = req[:source]
|
|
@@ -61,21 +73,25 @@ module Dependabot
|
|
|
61
73
|
|
|
62
74
|
private
|
|
63
75
|
|
|
76
|
+
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
|
64
77
|
def active_advisories
|
|
65
78
|
security_advisories.select do |advisory|
|
|
66
79
|
advisory.vulnerable?(version_class.new(git_commit_checker.most_specific_tag_equivalent_to_pinned_ref))
|
|
67
80
|
end
|
|
68
81
|
end
|
|
69
82
|
|
|
83
|
+
sig { override.returns(T::Boolean) }
|
|
70
84
|
def latest_version_resolvable_with_full_unlock?
|
|
71
85
|
# Full unlock checks aren't relevant for GitHub Actions
|
|
72
86
|
false
|
|
73
87
|
end
|
|
74
88
|
|
|
89
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
|
75
90
|
def updated_dependencies_after_full_unlock
|
|
76
91
|
raise NotImplementedError
|
|
77
92
|
end
|
|
78
93
|
|
|
94
|
+
sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
|
|
79
95
|
def fetch_latest_version
|
|
80
96
|
# TODO: Support Docker sources
|
|
81
97
|
return unless git_dependency?
|
|
@@ -83,20 +99,21 @@ module Dependabot
|
|
|
83
99
|
fetch_latest_version_for_git_dependency
|
|
84
100
|
end
|
|
85
101
|
|
|
102
|
+
sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
|
|
86
103
|
def fetch_latest_version_for_git_dependency
|
|
87
104
|
return current_commit unless git_commit_checker.pinned?
|
|
88
105
|
|
|
89
106
|
# If the dependency is pinned to a tag that looks like a version then
|
|
90
107
|
# we want to update that tag.
|
|
91
108
|
if git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
|
|
92
|
-
latest_version = latest_version_tag
|
|
109
|
+
latest_version = latest_version_tag&.fetch(:version)
|
|
93
110
|
return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)
|
|
94
111
|
|
|
95
112
|
return latest_version
|
|
96
113
|
end
|
|
97
114
|
|
|
98
115
|
if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
|
|
99
|
-
latest_version = latest_version_tag
|
|
116
|
+
latest_version = latest_version_tag&.fetch(:version)
|
|
100
117
|
return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha
|
|
101
118
|
|
|
102
119
|
return latest_version
|
|
@@ -107,6 +124,7 @@ module Dependabot
|
|
|
107
124
|
nil
|
|
108
125
|
end
|
|
109
126
|
|
|
127
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
110
128
|
def fetch_lowest_security_fix_version
|
|
111
129
|
# TODO: Support Docker sources
|
|
112
130
|
return unless git_dependency?
|
|
@@ -114,23 +132,34 @@ module Dependabot
|
|
|
114
132
|
fetch_lowest_security_fix_version_for_git_dependency
|
|
115
133
|
end
|
|
116
134
|
|
|
135
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
117
136
|
def fetch_lowest_security_fix_version_for_git_dependency
|
|
118
|
-
lowest_security_fix_version_tag
|
|
137
|
+
lowest_security_fix_version_tag&.fetch(:version)
|
|
119
138
|
end
|
|
120
139
|
|
|
140
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
121
141
|
def lowest_security_fix_version_tag
|
|
122
|
-
@lowest_security_fix_version_tag ||=
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
lowest_fixed_version
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
142
|
+
@lowest_security_fix_version_tag ||= T.let(
|
|
143
|
+
begin
|
|
144
|
+
tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
|
|
145
|
+
lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
|
|
146
|
+
if lowest_fixed_version
|
|
147
|
+
lowest_fixed_version
|
|
148
|
+
else
|
|
149
|
+
tags = git_commit_checker.local_tags_for_allowed_versions
|
|
150
|
+
find_lowest_secure_version(tags)
|
|
151
|
+
end
|
|
152
|
+
end,
|
|
153
|
+
T.nilable(T::Hash[Symbol, String])
|
|
154
|
+
)
|
|
132
155
|
end
|
|
133
156
|
|
|
157
|
+
sig do
|
|
158
|
+
params(
|
|
159
|
+
tags: T::Array[T::Hash[Symbol, T.untyped]]
|
|
160
|
+
)
|
|
161
|
+
.returns(T.nilable(T::Hash[Symbol, T.untyped]))
|
|
162
|
+
end
|
|
134
163
|
def find_lowest_secure_version(tags)
|
|
135
164
|
relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
|
|
136
165
|
relevant_tags = filter_lower_tags(relevant_tags)
|
|
@@ -138,40 +167,54 @@ module Dependabot
|
|
|
138
167
|
relevant_tags.min_by { |tag| tag.fetch(:version) }
|
|
139
168
|
end
|
|
140
169
|
|
|
170
|
+
sig { returns(T.nilable(String)) }
|
|
141
171
|
def latest_commit_for_pinned_ref
|
|
142
|
-
@latest_commit_for_pinned_ref ||=
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
head_commit_for_ref_sha
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
172
|
+
@latest_commit_for_pinned_ref ||= T.let(
|
|
173
|
+
begin
|
|
174
|
+
head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
|
|
175
|
+
if head_commit_for_ref_sha
|
|
176
|
+
head_commit_for_ref_sha
|
|
177
|
+
else
|
|
178
|
+
url = git_commit_checker.dependency_source_details&.fetch(:url)
|
|
179
|
+
source = T.must(Source.from_url(url))
|
|
180
|
+
|
|
181
|
+
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
|
182
|
+
repo_contents_path = File.join(temp_dir, File.basename(source.repo))
|
|
183
|
+
|
|
184
|
+
SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
|
|
185
|
+
|
|
186
|
+
Dir.chdir(repo_contents_path) do
|
|
187
|
+
ref_branch = find_container_branch(git_commit_checker.dependency_source_details&.fetch(:ref))
|
|
188
|
+
git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
|
|
189
|
+
end
|
|
158
190
|
end
|
|
159
191
|
end
|
|
160
|
-
end
|
|
161
|
-
|
|
192
|
+
end,
|
|
193
|
+
T.nilable(String)
|
|
194
|
+
)
|
|
162
195
|
end
|
|
163
196
|
|
|
197
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
164
198
|
def latest_version_tag
|
|
165
|
-
@latest_version_tag ||=
|
|
166
|
-
|
|
199
|
+
@latest_version_tag ||= T.let(
|
|
200
|
+
begin
|
|
201
|
+
return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
|
|
167
202
|
|
|
168
|
-
|
|
169
|
-
|
|
203
|
+
ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
|
|
204
|
+
return ref if ref && ref.fetch(:version) > current_version
|
|
170
205
|
|
|
171
|
-
|
|
172
|
-
|
|
206
|
+
git_commit_checker.local_ref_for_latest_version_lower_precision
|
|
207
|
+
end,
|
|
208
|
+
T.nilable(T::Hash[Symbol, T.untyped])
|
|
209
|
+
)
|
|
173
210
|
end
|
|
174
211
|
|
|
212
|
+
sig do
|
|
213
|
+
params(
|
|
214
|
+
tags_array: T::Array[T::Hash[Symbol, T.untyped]]
|
|
215
|
+
)
|
|
216
|
+
.returns(T::Array[T::Hash[Symbol, T.untyped]])
|
|
217
|
+
end
|
|
175
218
|
def filter_lower_tags(tags_array)
|
|
176
219
|
return tags_array unless current_version
|
|
177
220
|
|
|
@@ -179,6 +222,7 @@ module Dependabot
|
|
|
179
222
|
.select { |tag| tag.fetch(:version) > current_version }
|
|
180
223
|
end
|
|
181
224
|
|
|
225
|
+
sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(T.nilable(String)) }
|
|
182
226
|
def updated_ref(source)
|
|
183
227
|
# TODO: Support Docker sources
|
|
184
228
|
return unless git_dependency?
|
|
@@ -206,6 +250,7 @@ module Dependabot
|
|
|
206
250
|
nil
|
|
207
251
|
end
|
|
208
252
|
|
|
253
|
+
sig { returns(T.nilable(String)) }
|
|
209
254
|
def latest_commit_sha
|
|
210
255
|
new_tag = latest_version_tag
|
|
211
256
|
return unless new_tag
|
|
@@ -217,20 +262,30 @@ module Dependabot
|
|
|
217
262
|
end
|
|
218
263
|
end
|
|
219
264
|
|
|
265
|
+
sig { returns(T.nilable(String)) }
|
|
220
266
|
def current_commit
|
|
221
267
|
git_commit_checker.head_commit_for_current_branch
|
|
222
268
|
end
|
|
223
269
|
|
|
270
|
+
sig { returns(T::Boolean) }
|
|
224
271
|
def git_dependency?
|
|
225
272
|
git_commit_checker.git_dependency?
|
|
226
273
|
end
|
|
227
274
|
|
|
275
|
+
sig { returns(Dependabot::GitCommitChecker) }
|
|
228
276
|
def git_commit_checker
|
|
229
|
-
@git_commit_checker ||=
|
|
277
|
+
@git_commit_checker ||= T.let(
|
|
278
|
+
git_commit_checker_for(nil),
|
|
279
|
+
T.nilable(Dependabot::GitCommitChecker)
|
|
280
|
+
)
|
|
230
281
|
end
|
|
231
282
|
|
|
283
|
+
sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(Dependabot::GitCommitChecker) }
|
|
232
284
|
def git_commit_checker_for(source)
|
|
233
|
-
@git_commit_checkers ||=
|
|
285
|
+
@git_commit_checkers ||= T.let(
|
|
286
|
+
{},
|
|
287
|
+
T.nilable(T::Hash[T.nilable(T::Hash[Symbol, String]), Dependabot::GitCommitChecker])
|
|
288
|
+
)
|
|
234
289
|
|
|
235
290
|
@git_commit_checkers[source] ||= Dependabot::GitCommitChecker.new(
|
|
236
291
|
dependency: dependency,
|
|
@@ -242,6 +297,7 @@ module Dependabot
|
|
|
242
297
|
)
|
|
243
298
|
end
|
|
244
299
|
|
|
300
|
+
sig { params(base: T.nilable(String), other: String).returns(T::Boolean) }
|
|
245
301
|
def shortened_semver_eq?(base, other)
|
|
246
302
|
return false unless base
|
|
247
303
|
|
|
@@ -252,6 +308,7 @@ module Dependabot
|
|
|
252
308
|
other_split[0..base_split.length - 1] == base_split
|
|
253
309
|
end
|
|
254
310
|
|
|
311
|
+
sig { params(sha: String).returns(T.nilable(String)) }
|
|
255
312
|
def find_container_branch(sha)
|
|
256
313
|
branches_including_ref = SharedHelpers.run_shell_command(
|
|
257
314
|
"git branch --remotes --contains #{sha}",
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-github_actions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.265.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-07-
|
|
11
|
+
date: 2024-07-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.265.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.265.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -255,7 +255,7 @@ licenses:
|
|
|
255
255
|
- MIT
|
|
256
256
|
metadata:
|
|
257
257
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
258
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
258
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.265.0
|
|
259
259
|
post_install_message:
|
|
260
260
|
rdoc_options: []
|
|
261
261
|
require_paths:
|