dependabot-github_actions 0.290.0 → 0.292.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73086dbabc2a140abac38cd611ad0935b94551ac037b0471ce724bffef9f793b
-  data.tar.gz: 3c383709a692102f4c10f8835c87a8fabd19ea2767fcf7b4d23b46dcab2d8a80
+  metadata.gz: ec9317297cf1d6f91689b4dbfd495361463c4da20b5e1cdfb8b1bec345fb6fdc
+  data.tar.gz: 108569a3859425a5c8120fa66f9f04f1a93d24f4d394ba6b36d19e5431e02071
 SHA512:
-  metadata.gz: c72d7de19ff07f28daf2c6561f00ad6e676267ed8441583757c309608f0b17c55229cc6961b23d970d5de42764afc947e11882466974c7fbbfaa4a7cc8945957
-  data.tar.gz: 81ae8260af6064da9f00632528a767d120542b894b1700c83934a3988ad01181bd38765bca7cc270a4d67332d44a5a9c326ff5a8c99f053a157b8f1bf0aa9954
+  metadata.gz: 5fbf5b457cf937c2b4856b6a2993c229b10218d541d288f31e4c80c36a84e75a3505b229057484dbd5e19fad22c7a4a99a9c3e9aa72e643e54abbc39cdb668aa
+  data.tar.gz: f2618bb10546af53d065eb2364fd0de958fdf98537b9de8d163d6191fd5c4ad3fa8714bb0688bc481a7aa977b6361ab05c01564323bb03e2280e0fe5eb23dc44

data/lib/dependabot/github_actions/constants.rb

@@ -0,0 +1,44 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module GithubActions
+    # Reference to the GitHub.com domain
+    GITHUB_COM = T.let("github.com", String)
+
+    # Regular expression to match a GitHub repository reference
+    GITHUB_REPO_REFERENCE = T.let(%r{
+      ^(?<owner>[\w.-]+)/
+      (?<repo>[\w.-]+)
+      (?<path>/[^\@]+)?
+      @(?<ref>.+)
+    }x, Regexp)
+
+    # Matches .yml or .yaml files in the .github/workflows directories
+    WORKFLOW_YAML_REGEX = %r{\.github/workflows/.+\.ya?ml$}
+    # Matches .yml or .yaml files anywhere
+    ALL_YAML_FILES = %r{(?:^|/).+\.ya?ml$}
+
+    # The ecosystem name for GitHub Actions
+    ECOSYSTEM = T.let("github_actions", String)
+
+    # The pattern to match manifest files
+    MANIFEST_FILE_PATTERN = /\.ya?ml$/
+    # The name of the manifest file
+    MANIFEST_FILE_YML = T.let("action.yml", String)
+    # The name of the manifest file
+    MANIFEST_FILE_YAML = T.let("action.yaml", String)
+    # The pattern to match any .yml or .yaml file
+    ANYTHING_YML = T.let("<anything>.yml", String)
+    # The path to the workflow directory
+    WORKFLOW_DIRECTORY = T.let(".github/workflows", String)
+    # The path to the config .yml file
+    CONFIG_YMLS = T.let("#{WORKFLOW_DIRECTORY}/#{ANYTHING_YML}".freeze, String)
+
+    OWNER_KEY = T.let("owner", String)
+    REPO_KEY = T.let("repo", String)
+    REF_KEY = T.let("ref", String)
+    USES_KEY = T.let("uses", String)
+    STEPS_KEY = T.let("steps", String)
+  end
+end

data/lib/dependabot/github_actions/file_fetcher.rb

@@ -5,6 +5,7 @@ require "sorbet-runtime"
 
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/github_actions/constants"
 
 module Dependabot
   module GithubActions
@@ -12,11 +13,9 @@ module Dependabot
       extend T::Sig
       extend T::Helpers
 
-      FILENAME_PATTERN = /\.ya?ml$/
-
       sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
-        filenames.any? { |f| f.match?(FILENAME_PATTERN) }
+        filenames.any? { |f| f.match?(MANIFEST_FILE_PATTERN) }
       end
 
       sig { override.returns(String) }
@@ -49,9 +48,9 @@ module Dependabot
         if incorrectly_encoded_workflow_files.none?
           expected_paths =
             if directory == "/"
-              File.join(directory, "action.yml") + " or /.github/workflows/<anything>.yml"
+              File.join(directory, MANIFEST_FILE_YML) + " or /#{CONFIG_YMLS}"
             else
-              File.join(directory, "<anything>.yml")
+              File.join(directory, ANYTHING_YML)
             end
 
           raise(
@@ -75,16 +74,19 @@ module Dependabot
         # In the special case where the root directory is defined we also scan
         # the .github/workflows/ folder.
         if directory == "/"
-          @workflow_files += [fetch_file_if_present("action.yml"), fetch_file_if_present("action.yaml")].compact
+          @workflow_files += [
+            fetch_file_if_present(MANIFEST_FILE_YML),
+            fetch_file_if_present(MANIFEST_FILE_YAML)
+          ].compact
 
-          workflows_dir = ".github/workflows"
+          workflows_dir = WORKFLOW_DIRECTORY
         else
           workflows_dir = "."
         end
 
         @workflow_files +=
           repo_contents(dir: workflows_dir, raise_errors: false)
-          .select { |f| f.type == "file" && f.name.match?(FILENAME_PATTERN) }
+          .select { |f| f.type == "file" && f.name.match?(MANIFEST_FILE_PATTERN) }
           .map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
       end
 

data/lib/dependabot/github_actions/file_parser.rb

@@ -8,7 +8,9 @@ require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/version"
+require "dependabot/github_actions/package_manager"
 
 # For docs, see
 # https://help.github.com/en/articles/configuring-a-workflow#referencing-actions-in-your-workflow
@@ -20,13 +22,6 @@ module Dependabot
 
       require "dependabot/file_parsers/base/dependency_set"
 
-      GITHUB_REPO_REFERENCE = %r{
-        ^(?<owner>[\w.-]+)/
-        (?<repo>[\w.-]+)
-        (?<path>/[^\@]+)?
-        @(?<ref>.+)
-      }x
-
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
@@ -35,11 +30,33 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
 
+        dependencies_without_version = dependency_set.dependencies.select { |dep| dep.version.nil? }
+        unless dependencies_without_version.empty?
+          raise UnresolvableVersionError,
+                dependencies_without_version.map(&:name)
+        end
+
         dependency_set.dependencies
       end
 
+      sig { returns(Ecosystem) }
+      def ecosystem
+        @ecosystem ||= T.let(
+          Ecosystem.new(
+            name: ECOSYSTEM,
+            package_manager: package_manager
+          ),
+          T.nilable(Ecosystem)
+        )
+      end
+
       private
 
+      sig { returns(Ecosystem::VersionManager) }
+      def package_manager
+        @package_manager ||= T.let(PackageManager.new, T.nilable(Dependabot::GithubActions::PackageManager))
+      end
+
       sig { params(file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
       def workfile_file_dependencies(file)
         dependency_set = DependencySet.new
@@ -88,20 +105,20 @@ module Dependabot
 
       sig { params(file: Dependabot::DependencyFile, string: String).returns(Dependabot::Dependency) }
       def build_github_dependency(file, string)
-        unless source&.hostname == "github.com"
+        unless source&.hostname == GITHUB_COM
           dep = github_dependency(file, string, T.must(source).hostname)
           git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
           return dep if git_checker.git_repo_reachable?
         end
 
-        github_dependency(file, string, "github.com")
+        github_dependency(file, string, GITHUB_COM)
       end
 
       sig { params(file: Dependabot::DependencyFile, string: String, hostname: String).returns(Dependabot::Dependency) }
       def github_dependency(file, string, hostname)
         details = T.must(string.match(GITHUB_REPO_REFERENCE)).named_captures
-        name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
-        ref = details.fetch("ref")
+        name = "#{details.fetch(OWNER_KEY)}/#{details.fetch(REPO_KEY)}"
+        ref = details.fetch(REF_KEY)
         version = version_class.new(ref).to_s if version_class.correct?(ref)
         Dependency.new(
           name: name,
@@ -118,7 +135,7 @@ module Dependabot
             file: file.name,
             metadata: { declaration_string: string }
           }],
-          package_manager: "github_actions"
+          package_manager: PackageManager::NAME
         )
       end
 
@@ -133,11 +150,11 @@ module Dependabot
 
       sig { params(json_object: T::Hash[String, T.untyped], found_uses: T::Array[String]).returns(T::Array[String]) }
       def deep_fetch_uses_from_hash(json_object, found_uses)
-        if json_object.key?("uses")
-          found_uses << json_object["uses"]
-        elsif json_object.key?("steps")
+        if json_object.key?(USES_KEY)
+          found_uses << json_object[USES_KEY]
+        elsif json_object.key?(STEPS_KEY)
           # Bypass other fields as uses are under steps if they exist
-          deep_fetch_uses(json_object["steps"], found_uses)
+          deep_fetch_uses(json_object[STEPS_KEY], found_uses)
         else
           json_object.values.flat_map { |obj| deep_fetch_uses(obj, found_uses) }
         end

data/lib/dependabot/github_actions/file_updater.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
+require "dependabot/github_actions/constants"
 
 module Dependabot
   module GithubActions
@@ -16,10 +17,10 @@ module Dependabot
       def self.updated_files_regex
         [
           # Matches .yml or .yaml files in the .github/workflows directories
-          %r{\.github/workflows/.+\.ya?ml$},
+          WORKFLOW_YAML_REGEX,
 
           # Matches .yml or .yaml files in the root directory or any subdirectory
-          %r{(?:^|/).+\.ya?ml$}
+          ALL_YAML_FILES
         ]
       end
 

data/lib/dependabot/github_actions/metadata_finder.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
-
+require "dependabot/github_actions/constants"
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 
@@ -19,7 +19,7 @@ module Dependabot
 
         url =
           if info.nil?
-            "https://github.com/#{dependency.name}"
+            "https://#{GITHUB_COM}/#{dependency.name}"
           else
             info[:url] || info.fetch("url")
           end

data/lib/dependabot/github_actions/package_manager.rb

@@ -0,0 +1,40 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/github_actions/constants"
+require "dependabot/github_actions/version"
+require "dependabot/ecosystem"
+require "dependabot/github_actions/requirement"
+
+module Dependabot
+  module GithubActions
+    class PackageManager < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      # The package manager name for GitHub Actions
+      NAME = T.let("github_actions", String)
+
+      # The version of the package manager
+      VERSION = T.let("1.0.0", String)
+
+      sig { void }
+      def initialize
+        super(
+          name: NAME,
+          version: Version.new(VERSION)
+      )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/github_actions/update_checker.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 
 require "dependabot/errors"
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/requirement"
 require "dependabot/github_actions/version"
 require "dependabot/update_checkers"

data/lib/dependabot/github_actions.rb

@@ -3,6 +3,7 @@
 
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/file_fetcher"
 require "dependabot/github_actions/file_parser"
 require "dependabot/github_actions/update_checker"
@@ -10,6 +11,7 @@ require "dependabot/github_actions/file_updater"
 require "dependabot/github_actions/metadata_finder"
 require "dependabot/github_actions/requirement"
 require "dependabot/github_actions/version"
+require "dependabot/github_actions/package_manager"
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.290.0
+  version: 0.292.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-12 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.290.0
+        version: 0.292.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.290.0
+        version: 0.292.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -243,10 +243,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/dependabot/github_actions.rb
+- lib/dependabot/github_actions/constants.rb
 - lib/dependabot/github_actions/file_fetcher.rb
 - lib/dependabot/github_actions/file_parser.rb
 - lib/dependabot/github_actions/file_updater.rb
 - lib/dependabot/github_actions/metadata_finder.rb
+- lib/dependabot/github_actions/package_manager.rb
 - lib/dependabot/github_actions/requirement.rb
 - lib/dependabot/github_actions/update_checker.rb
 - lib/dependabot/github_actions/version.rb
@@ -255,7 +257,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.290.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.292.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -271,7 +273,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for GitHub Actions