dependabot-github_actions 0.264.0 → 0.266.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a90e2dbbacd5205886d15e3d15500e6800873046d6dbe81fa706ce4d7221b6b
|
4
|
+
data.tar.gz: 611a3c952475926a6310b11eb3d2f44766df9bb796380d9711b1acf328340d16
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7d95be8c4815b3c9654eac88835e17e2722c97e53e32cd82f7f9298154fac4cc7a42b3387be9b3f15cdb8ee93e94e2a61f2d059fa75ff86085fc19f13eca9681
|
7
|
+
data.tar.gz: 82a578d6a91db5c4aa3690d2f4355e34195732548d427a456591b17ca81b16f092ce00969a13a0dfb0d79b1a946c09cd9787fc5eea4b6d01c4e50deaf7c615fd
|
@@ -36,7 +36,7 @@ module Dependabot
|
|
36
36
|
end
|
37
37
|
def initialize(source:, credentials:, repo_contents_path: nil, options: {})
|
38
38
|
@workflow_files = T.let([], T::Array[DependencyFile])
|
39
|
-
super
|
39
|
+
super
|
40
40
|
end
|
41
41
|
|
42
42
|
sig { override.returns(T::Array[DependencyFile]) }
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
@@ -15,29 +15,41 @@ module Dependabot
|
|
15
15
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
16
16
|
extend T::Sig
|
17
17
|
|
18
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
18
19
|
def latest_version
|
19
|
-
@latest_version ||=
|
20
|
+
@latest_version ||= T.let(
|
21
|
+
fetch_latest_version,
|
22
|
+
T.nilable(T.any(String, Gem::Version))
|
23
|
+
)
|
20
24
|
end
|
21
25
|
|
26
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
22
27
|
def latest_resolvable_version
|
23
28
|
# Resolvability isn't an issue for GitHub Actions.
|
24
29
|
latest_version
|
25
30
|
end
|
26
31
|
|
32
|
+
sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
|
27
33
|
def latest_resolvable_version_with_no_unlock
|
28
34
|
# No concept of "unlocking" for GitHub Actions (since no lockfile)
|
29
35
|
dependency.version
|
30
36
|
end
|
31
37
|
|
38
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
32
39
|
def lowest_security_fix_version
|
33
|
-
@lowest_security_fix_version ||=
|
40
|
+
@lowest_security_fix_version ||= T.let(
|
41
|
+
fetch_lowest_security_fix_version,
|
42
|
+
T.nilable(Dependabot::Version)
|
43
|
+
)
|
34
44
|
end
|
35
45
|
|
46
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
36
47
|
def lowest_resolvable_security_fix_version
|
37
48
|
# Resolvability isn't an issue for GitHub Actions.
|
38
49
|
lowest_security_fix_version
|
39
50
|
end
|
40
51
|
|
52
|
+
sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
41
53
|
def updated_requirements
|
42
54
|
dependency.requirements.map do |req|
|
43
55
|
source = req[:source]
|
@@ -61,21 +73,25 @@ module Dependabot
|
|
61
73
|
|
62
74
|
private
|
63
75
|
|
76
|
+
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
64
77
|
def active_advisories
|
65
78
|
security_advisories.select do |advisory|
|
66
79
|
advisory.vulnerable?(version_class.new(git_commit_checker.most_specific_tag_equivalent_to_pinned_ref))
|
67
80
|
end
|
68
81
|
end
|
69
82
|
|
83
|
+
sig { override.returns(T::Boolean) }
|
70
84
|
def latest_version_resolvable_with_full_unlock?
|
71
85
|
# Full unlock checks aren't relevant for GitHub Actions
|
72
86
|
false
|
73
87
|
end
|
74
88
|
|
89
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
75
90
|
def updated_dependencies_after_full_unlock
|
76
91
|
raise NotImplementedError
|
77
92
|
end
|
78
93
|
|
94
|
+
sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
|
79
95
|
def fetch_latest_version
|
80
96
|
# TODO: Support Docker sources
|
81
97
|
return unless git_dependency?
|
@@ -83,20 +99,21 @@ module Dependabot
|
|
83
99
|
fetch_latest_version_for_git_dependency
|
84
100
|
end
|
85
101
|
|
102
|
+
sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
|
86
103
|
def fetch_latest_version_for_git_dependency
|
87
104
|
return current_commit unless git_commit_checker.pinned?
|
88
105
|
|
89
106
|
# If the dependency is pinned to a tag that looks like a version then
|
90
107
|
# we want to update that tag.
|
91
108
|
if git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
|
92
|
-
latest_version = latest_version_tag
|
109
|
+
latest_version = latest_version_tag&.fetch(:version)
|
93
110
|
return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)
|
94
111
|
|
95
112
|
return latest_version
|
96
113
|
end
|
97
114
|
|
98
115
|
if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
|
99
|
-
latest_version = latest_version_tag
|
116
|
+
latest_version = latest_version_tag&.fetch(:version)
|
100
117
|
return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha
|
101
118
|
|
102
119
|
return latest_version
|
@@ -107,6 +124,7 @@ module Dependabot
|
|
107
124
|
nil
|
108
125
|
end
|
109
126
|
|
127
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
110
128
|
def fetch_lowest_security_fix_version
|
111
129
|
# TODO: Support Docker sources
|
112
130
|
return unless git_dependency?
|
@@ -114,23 +132,34 @@ module Dependabot
|
|
114
132
|
fetch_lowest_security_fix_version_for_git_dependency
|
115
133
|
end
|
116
134
|
|
135
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
117
136
|
def fetch_lowest_security_fix_version_for_git_dependency
|
118
|
-
lowest_security_fix_version_tag
|
137
|
+
lowest_security_fix_version_tag&.fetch(:version)
|
119
138
|
end
|
120
139
|
|
140
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
121
141
|
def lowest_security_fix_version_tag
|
122
|
-
@lowest_security_fix_version_tag ||=
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
lowest_fixed_version
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
142
|
+
@lowest_security_fix_version_tag ||= T.let(
|
143
|
+
begin
|
144
|
+
tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
|
145
|
+
lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
|
146
|
+
if lowest_fixed_version
|
147
|
+
lowest_fixed_version
|
148
|
+
else
|
149
|
+
tags = git_commit_checker.local_tags_for_allowed_versions
|
150
|
+
find_lowest_secure_version(tags)
|
151
|
+
end
|
152
|
+
end,
|
153
|
+
T.nilable(T::Hash[Symbol, String])
|
154
|
+
)
|
132
155
|
end
|
133
156
|
|
157
|
+
sig do
|
158
|
+
params(
|
159
|
+
tags: T::Array[T::Hash[Symbol, T.untyped]]
|
160
|
+
)
|
161
|
+
.returns(T.nilable(T::Hash[Symbol, T.untyped]))
|
162
|
+
end
|
134
163
|
def find_lowest_secure_version(tags)
|
135
164
|
relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
|
136
165
|
relevant_tags = filter_lower_tags(relevant_tags)
|
@@ -138,40 +167,54 @@ module Dependabot
|
|
138
167
|
relevant_tags.min_by { |tag| tag.fetch(:version) }
|
139
168
|
end
|
140
169
|
|
170
|
+
sig { returns(T.nilable(String)) }
|
141
171
|
def latest_commit_for_pinned_ref
|
142
|
-
@latest_commit_for_pinned_ref ||=
|
143
|
-
|
144
|
-
|
145
|
-
head_commit_for_ref_sha
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
172
|
+
@latest_commit_for_pinned_ref ||= T.let(
|
173
|
+
begin
|
174
|
+
head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
|
175
|
+
if head_commit_for_ref_sha
|
176
|
+
head_commit_for_ref_sha
|
177
|
+
else
|
178
|
+
url = git_commit_checker.dependency_source_details&.fetch(:url)
|
179
|
+
source = T.must(Source.from_url(url))
|
180
|
+
|
181
|
+
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
182
|
+
repo_contents_path = File.join(temp_dir, File.basename(source.repo))
|
183
|
+
|
184
|
+
SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
|
185
|
+
|
186
|
+
Dir.chdir(repo_contents_path) do
|
187
|
+
ref_branch = find_container_branch(git_commit_checker.dependency_source_details&.fetch(:ref))
|
188
|
+
git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
|
189
|
+
end
|
158
190
|
end
|
159
191
|
end
|
160
|
-
end
|
161
|
-
|
192
|
+
end,
|
193
|
+
T.nilable(String)
|
194
|
+
)
|
162
195
|
end
|
163
196
|
|
197
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
164
198
|
def latest_version_tag
|
165
|
-
@latest_version_tag ||=
|
166
|
-
|
199
|
+
@latest_version_tag ||= T.let(
|
200
|
+
begin
|
201
|
+
return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
|
167
202
|
|
168
|
-
|
169
|
-
|
203
|
+
ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
|
204
|
+
return ref if ref && ref.fetch(:version) > current_version
|
170
205
|
|
171
|
-
|
172
|
-
|
206
|
+
git_commit_checker.local_ref_for_latest_version_lower_precision
|
207
|
+
end,
|
208
|
+
T.nilable(T::Hash[Symbol, T.untyped])
|
209
|
+
)
|
173
210
|
end
|
174
211
|
|
212
|
+
sig do
|
213
|
+
params(
|
214
|
+
tags_array: T::Array[T::Hash[Symbol, T.untyped]]
|
215
|
+
)
|
216
|
+
.returns(T::Array[T::Hash[Symbol, T.untyped]])
|
217
|
+
end
|
175
218
|
def filter_lower_tags(tags_array)
|
176
219
|
return tags_array unless current_version
|
177
220
|
|
@@ -179,6 +222,7 @@ module Dependabot
|
|
179
222
|
.select { |tag| tag.fetch(:version) > current_version }
|
180
223
|
end
|
181
224
|
|
225
|
+
sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(T.nilable(String)) }
|
182
226
|
def updated_ref(source)
|
183
227
|
# TODO: Support Docker sources
|
184
228
|
return unless git_dependency?
|
@@ -206,6 +250,7 @@ module Dependabot
|
|
206
250
|
nil
|
207
251
|
end
|
208
252
|
|
253
|
+
sig { returns(T.nilable(String)) }
|
209
254
|
def latest_commit_sha
|
210
255
|
new_tag = latest_version_tag
|
211
256
|
return unless new_tag
|
@@ -217,20 +262,30 @@ module Dependabot
|
|
217
262
|
end
|
218
263
|
end
|
219
264
|
|
265
|
+
sig { returns(T.nilable(String)) }
|
220
266
|
def current_commit
|
221
267
|
git_commit_checker.head_commit_for_current_branch
|
222
268
|
end
|
223
269
|
|
270
|
+
sig { returns(T::Boolean) }
|
224
271
|
def git_dependency?
|
225
272
|
git_commit_checker.git_dependency?
|
226
273
|
end
|
227
274
|
|
275
|
+
sig { returns(Dependabot::GitCommitChecker) }
|
228
276
|
def git_commit_checker
|
229
|
-
@git_commit_checker ||=
|
277
|
+
@git_commit_checker ||= T.let(
|
278
|
+
git_commit_checker_for(nil),
|
279
|
+
T.nilable(Dependabot::GitCommitChecker)
|
280
|
+
)
|
230
281
|
end
|
231
282
|
|
283
|
+
sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(Dependabot::GitCommitChecker) }
|
232
284
|
def git_commit_checker_for(source)
|
233
|
-
@git_commit_checkers ||=
|
285
|
+
@git_commit_checkers ||= T.let(
|
286
|
+
{},
|
287
|
+
T.nilable(T::Hash[T.nilable(T::Hash[Symbol, String]), Dependabot::GitCommitChecker])
|
288
|
+
)
|
234
289
|
|
235
290
|
@git_commit_checkers[source] ||= Dependabot::GitCommitChecker.new(
|
236
291
|
dependency: dependency,
|
@@ -242,6 +297,7 @@ module Dependabot
|
|
242
297
|
)
|
243
298
|
end
|
244
299
|
|
300
|
+
sig { params(base: T.nilable(String), other: String).returns(T::Boolean) }
|
245
301
|
def shortened_semver_eq?(base, other)
|
246
302
|
return false unless base
|
247
303
|
|
@@ -252,6 +308,7 @@ module Dependabot
|
|
252
308
|
other_split[0..base_split.length - 1] == base_split
|
253
309
|
end
|
254
310
|
|
311
|
+
sig { params(sha: String).returns(T.nilable(String)) }
|
255
312
|
def find_container_branch(sha)
|
256
313
|
branches_including_ref = SharedHelpers.run_shell_command(
|
257
314
|
"git branch --remotes --contains #{sha}",
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-github_actions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.266.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-07-
|
11
|
+
date: 2024-07-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.266.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.266.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -114,14 +114,14 @@ dependencies:
|
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 1.
|
117
|
+
version: 1.65.0
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 1.
|
124
|
+
version: 1.65.0
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rubocop-performance
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
@@ -255,7 +255,7 @@ licenses:
|
|
255
255
|
- MIT
|
256
256
|
metadata:
|
257
257
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
258
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
258
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.266.0
|
259
259
|
post_install_message:
|
260
260
|
rdoc_options: []
|
261
261
|
require_paths:
|