dependabot-github_actions 0.264.0 → 0.266.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d249bc3a1cdb17071267d9955afcb5ead3098960ab832d00bc777f2b20f1e865
4
- data.tar.gz: e5e0b1da46bee2936bd0bb912e8948e8196f22e9bbbf64225b7c90fbab6f5a50
3
+ metadata.gz: 0a90e2dbbacd5205886d15e3d15500e6800873046d6dbe81fa706ce4d7221b6b
4
+ data.tar.gz: 611a3c952475926a6310b11eb3d2f44766df9bb796380d9711b1acf328340d16
5
5
  SHA512:
6
- metadata.gz: 215afef1a922c94b069f3eba02c2475061313c018495308be317437dd5741df4cbfc68a4cf886cb3e69512226e77b0a2d29c4f0abdb44a9fbb78f19d93ffa344
7
- data.tar.gz: d059a0aae57aad5668f99d15a27291babab73708eb92d0a75e700c26e98735fc3f416a2c70658dddbcb592bcfa1a3ed17333df33738b4e517c6be2bfe6855b99
6
+ metadata.gz: 7d95be8c4815b3c9654eac88835e17e2722c97e53e32cd82f7f9298154fac4cc7a42b3387be9b3f15cdb8ee93e94e2a61f2d059fa75ff86085fc19f13eca9681
7
+ data.tar.gz: 82a578d6a91db5c4aa3690d2f4355e34195732548d427a456591b17ca81b16f092ce00969a13a0dfb0d79b1a946c09cd9787fc5eea4b6d01c4e50deaf7c615fd
@@ -36,7 +36,7 @@ module Dependabot
36
36
  end
37
37
  def initialize(source:, credentials:, repo_contents_path: nil, options: {})
38
38
  @workflow_files = T.let([], T::Array[DependencyFile])
39
- super(source: source, credentials: credentials, repo_contents_path: repo_contents_path, options: options)
39
+ super
40
40
  end
41
41
 
42
42
  sig { override.returns(T::Array[DependencyFile]) }
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
@@ -15,29 +15,41 @@ module Dependabot
15
15
  class UpdateChecker < Dependabot::UpdateCheckers::Base
16
16
  extend T::Sig
17
17
 
18
+ sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
18
19
  def latest_version
19
- @latest_version ||= fetch_latest_version
20
+ @latest_version ||= T.let(
21
+ fetch_latest_version,
22
+ T.nilable(T.any(String, Gem::Version))
23
+ )
20
24
  end
21
25
 
26
+ sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
22
27
  def latest_resolvable_version
23
28
  # Resolvability isn't an issue for GitHub Actions.
24
29
  latest_version
25
30
  end
26
31
 
32
+ sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
27
33
  def latest_resolvable_version_with_no_unlock
28
34
  # No concept of "unlocking" for GitHub Actions (since no lockfile)
29
35
  dependency.version
30
36
  end
31
37
 
38
+ sig { override.returns(T.nilable(Dependabot::Version)) }
32
39
  def lowest_security_fix_version
33
- @lowest_security_fix_version ||= fetch_lowest_security_fix_version
40
+ @lowest_security_fix_version ||= T.let(
41
+ fetch_lowest_security_fix_version,
42
+ T.nilable(Dependabot::Version)
43
+ )
34
44
  end
35
45
 
46
+ sig { override.returns(T.nilable(Dependabot::Version)) }
36
47
  def lowest_resolvable_security_fix_version
37
48
  # Resolvability isn't an issue for GitHub Actions.
38
49
  lowest_security_fix_version
39
50
  end
40
51
 
52
+ sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
41
53
  def updated_requirements
42
54
  dependency.requirements.map do |req|
43
55
  source = req[:source]
@@ -61,21 +73,25 @@ module Dependabot
61
73
 
62
74
  private
63
75
 
76
+ sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
64
77
  def active_advisories
65
78
  security_advisories.select do |advisory|
66
79
  advisory.vulnerable?(version_class.new(git_commit_checker.most_specific_tag_equivalent_to_pinned_ref))
67
80
  end
68
81
  end
69
82
 
83
+ sig { override.returns(T::Boolean) }
70
84
  def latest_version_resolvable_with_full_unlock?
71
85
  # Full unlock checks aren't relevant for GitHub Actions
72
86
  false
73
87
  end
74
88
 
89
+ sig { override.returns(T::Array[Dependabot::Dependency]) }
75
90
  def updated_dependencies_after_full_unlock
76
91
  raise NotImplementedError
77
92
  end
78
93
 
94
+ sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
79
95
  def fetch_latest_version
80
96
  # TODO: Support Docker sources
81
97
  return unless git_dependency?
@@ -83,20 +99,21 @@ module Dependabot
83
99
  fetch_latest_version_for_git_dependency
84
100
  end
85
101
 
102
+ sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
86
103
  def fetch_latest_version_for_git_dependency
87
104
  return current_commit unless git_commit_checker.pinned?
88
105
 
89
106
  # If the dependency is pinned to a tag that looks like a version then
90
107
  # we want to update that tag.
91
108
  if git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
92
- latest_version = latest_version_tag.fetch(:version)
109
+ latest_version = latest_version_tag&.fetch(:version)
93
110
  return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)
94
111
 
95
112
  return latest_version
96
113
  end
97
114
 
98
115
  if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
99
- latest_version = latest_version_tag.fetch(:version)
116
+ latest_version = latest_version_tag&.fetch(:version)
100
117
  return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha
101
118
 
102
119
  return latest_version
@@ -107,6 +124,7 @@ module Dependabot
107
124
  nil
108
125
  end
109
126
 
127
+ sig { returns(T.nilable(Dependabot::Version)) }
110
128
  def fetch_lowest_security_fix_version
111
129
  # TODO: Support Docker sources
112
130
  return unless git_dependency?
@@ -114,23 +132,34 @@ module Dependabot
114
132
  fetch_lowest_security_fix_version_for_git_dependency
115
133
  end
116
134
 
135
+ sig { returns(T.nilable(Dependabot::Version)) }
117
136
  def fetch_lowest_security_fix_version_for_git_dependency
118
- lowest_security_fix_version_tag.fetch(:version)
137
+ lowest_security_fix_version_tag&.fetch(:version)
119
138
  end
120
139
 
140
+ sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
121
141
  def lowest_security_fix_version_tag
122
- @lowest_security_fix_version_tag ||= begin
123
- tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
124
- lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
125
- if lowest_fixed_version
126
- lowest_fixed_version
127
- else
128
- tags = git_commit_checker.local_tags_for_allowed_versions
129
- find_lowest_secure_version(tags)
130
- end
131
- end
142
+ @lowest_security_fix_version_tag ||= T.let(
143
+ begin
144
+ tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
145
+ lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
146
+ if lowest_fixed_version
147
+ lowest_fixed_version
148
+ else
149
+ tags = git_commit_checker.local_tags_for_allowed_versions
150
+ find_lowest_secure_version(tags)
151
+ end
152
+ end,
153
+ T.nilable(T::Hash[Symbol, String])
154
+ )
132
155
  end
133
156
 
157
+ sig do
158
+ params(
159
+ tags: T::Array[T::Hash[Symbol, T.untyped]]
160
+ )
161
+ .returns(T.nilable(T::Hash[Symbol, T.untyped]))
162
+ end
134
163
  def find_lowest_secure_version(tags)
135
164
  relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
136
165
  relevant_tags = filter_lower_tags(relevant_tags)
@@ -138,40 +167,54 @@ module Dependabot
138
167
  relevant_tags.min_by { |tag| tag.fetch(:version) }
139
168
  end
140
169
 
170
+ sig { returns(T.nilable(String)) }
141
171
  def latest_commit_for_pinned_ref
142
- @latest_commit_for_pinned_ref ||= begin
143
- head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
144
- if head_commit_for_ref_sha
145
- head_commit_for_ref_sha
146
- else
147
- url = git_commit_checker.dependency_source_details[:url]
148
- source = T.must(Source.from_url(url))
149
-
150
- SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
151
- repo_contents_path = File.join(temp_dir, File.basename(source.repo))
152
-
153
- SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
154
-
155
- Dir.chdir(repo_contents_path) do
156
- ref_branch = find_container_branch(git_commit_checker.dependency_source_details[:ref])
157
- git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
172
+ @latest_commit_for_pinned_ref ||= T.let(
173
+ begin
174
+ head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
175
+ if head_commit_for_ref_sha
176
+ head_commit_for_ref_sha
177
+ else
178
+ url = git_commit_checker.dependency_source_details&.fetch(:url)
179
+ source = T.must(Source.from_url(url))
180
+
181
+ SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
182
+ repo_contents_path = File.join(temp_dir, File.basename(source.repo))
183
+
184
+ SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
185
+
186
+ Dir.chdir(repo_contents_path) do
187
+ ref_branch = find_container_branch(git_commit_checker.dependency_source_details&.fetch(:ref))
188
+ git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
189
+ end
158
190
  end
159
191
  end
160
- end
161
- end
192
+ end,
193
+ T.nilable(String)
194
+ )
162
195
  end
163
196
 
197
+ sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
164
198
  def latest_version_tag
165
- @latest_version_tag ||= begin
166
- return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
199
+ @latest_version_tag ||= T.let(
200
+ begin
201
+ return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
167
202
 
168
- ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
169
- return ref if ref && ref.fetch(:version) > current_version
203
+ ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
204
+ return ref if ref && ref.fetch(:version) > current_version
170
205
 
171
- git_commit_checker.local_ref_for_latest_version_lower_precision
172
- end
206
+ git_commit_checker.local_ref_for_latest_version_lower_precision
207
+ end,
208
+ T.nilable(T::Hash[Symbol, T.untyped])
209
+ )
173
210
  end
174
211
 
212
+ sig do
213
+ params(
214
+ tags_array: T::Array[T::Hash[Symbol, T.untyped]]
215
+ )
216
+ .returns(T::Array[T::Hash[Symbol, T.untyped]])
217
+ end
175
218
  def filter_lower_tags(tags_array)
176
219
  return tags_array unless current_version
177
220
 
@@ -179,6 +222,7 @@ module Dependabot
179
222
  .select { |tag| tag.fetch(:version) > current_version }
180
223
  end
181
224
 
225
+ sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(T.nilable(String)) }
182
226
  def updated_ref(source)
183
227
  # TODO: Support Docker sources
184
228
  return unless git_dependency?
@@ -206,6 +250,7 @@ module Dependabot
206
250
  nil
207
251
  end
208
252
 
253
+ sig { returns(T.nilable(String)) }
209
254
  def latest_commit_sha
210
255
  new_tag = latest_version_tag
211
256
  return unless new_tag
@@ -217,20 +262,30 @@ module Dependabot
217
262
  end
218
263
  end
219
264
 
265
+ sig { returns(T.nilable(String)) }
220
266
  def current_commit
221
267
  git_commit_checker.head_commit_for_current_branch
222
268
  end
223
269
 
270
+ sig { returns(T::Boolean) }
224
271
  def git_dependency?
225
272
  git_commit_checker.git_dependency?
226
273
  end
227
274
 
275
+ sig { returns(Dependabot::GitCommitChecker) }
228
276
  def git_commit_checker
229
- @git_commit_checker ||= git_commit_checker_for(nil)
277
+ @git_commit_checker ||= T.let(
278
+ git_commit_checker_for(nil),
279
+ T.nilable(Dependabot::GitCommitChecker)
280
+ )
230
281
  end
231
282
 
283
+ sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(Dependabot::GitCommitChecker) }
232
284
  def git_commit_checker_for(source)
233
- @git_commit_checkers ||= {}
285
+ @git_commit_checkers ||= T.let(
286
+ {},
287
+ T.nilable(T::Hash[T.nilable(T::Hash[Symbol, String]), Dependabot::GitCommitChecker])
288
+ )
234
289
 
235
290
  @git_commit_checkers[source] ||= Dependabot::GitCommitChecker.new(
236
291
  dependency: dependency,
@@ -242,6 +297,7 @@ module Dependabot
242
297
  )
243
298
  end
244
299
 
300
+ sig { params(base: T.nilable(String), other: String).returns(T::Boolean) }
245
301
  def shortened_semver_eq?(base, other)
246
302
  return false unless base
247
303
 
@@ -252,6 +308,7 @@ module Dependabot
252
308
  other_split[0..base_split.length - 1] == base_split
253
309
  end
254
310
 
311
+ sig { params(sha: String).returns(T.nilable(String)) }
255
312
  def find_container_branch(sha)
256
313
  branches_including_ref = SharedHelpers.run_shell_command(
257
314
  "git branch --remotes --contains #{sha}",
@@ -31,6 +31,8 @@ module Dependabot
31
31
 
32
32
  sig { override.params(version: VersionParameter).returns(T::Boolean) }
33
33
  def self.correct?(version)
34
+ return false if version.to_s.strip.empty?
35
+
34
36
  version = Version.remove_leading_v(version)
35
37
  super
36
38
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-github_actions
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.264.0
4
+ version: 0.266.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-07-05 00:00:00.000000000 Z
11
+ date: 2024-07-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.264.0
19
+ version: 0.266.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.264.0
26
+ version: 0.266.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 1.63.2
117
+ version: 1.65.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 1.63.2
124
+ version: 1.65.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: rubocop-performance
127
127
  requirement: !ruby/object:Gem::Requirement
@@ -255,7 +255,7 @@ licenses:
255
255
  - MIT
256
256
  metadata:
257
257
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
258
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
258
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.266.0
259
259
  post_install_message:
260
260
  rdoc_options: []
261
261
  require_paths: