dependabot-github_actions 0.291.0 → 0.293.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7526b6dc97e519c47294f5c251c0fff5f893069662464e86c9ffaff188ffde1
-  data.tar.gz: 16e683adfe613d60ae5c290c7654bead63b66d2eaf0ec4f9b2e6685feecdddca
+  metadata.gz: 97a39fd214b18afb927295d590e8ea8e3270015da3998b80a85106ae9cc203c2
+  data.tar.gz: 8b63e4e18e5f3c4695b70c8a8e4a1c7083e4d8bfabe1ac14d78b736150a71935
 SHA512:
-  metadata.gz: 05ab5a39956dbc0ce6a25a91c0a180337abc89c5c7d82d99cc1ef8d77b94beae073d5d8eefc741b160134008b1034fc5fb4a8f34fe2a4f60f86f3735f9a921d6
-  data.tar.gz: 54e9c432648188d4e7e36e6e5c663e495504d6979008179e826b49d2dadd8ac59b7a91a9cfb029ac20c6d5c5b6c812a4e518e7a0d7cc887b4b0d48b5100511b6
+  metadata.gz: 7c926a9ef211db6152426254d7926536d6cb3116b48089bab873a1e0a99bcd509f05c5daf46ea6005334c8c3f0470a6650c9323568ea2a12dd7f150bb26ade7c
+  data.tar.gz: e9ba4aaede0323e01bc3abc8792bb5b1327981a44ea91650b9d69ac87166260177b1b6ab1452f9e103bf6125860ae6074bc2dc830d0827ae36494d9fc29a9252

data/lib/dependabot/github_actions/constants.rb

@@ -0,0 +1,44 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module GithubActions
+    # Reference to the GitHub.com domain
+    GITHUB_COM = T.let("github.com", String)
+
+    # Regular expression to match a GitHub repository reference
+    GITHUB_REPO_REFERENCE = T.let(%r{
+      ^(?<owner>[\w.-]+)/
+      (?<repo>[\w.-]+)
+      (?<path>/[^\@]+)?
+      @(?<ref>.+)
+    }x, Regexp)
+
+    # Matches .yml or .yaml files in the .github/workflows directories
+    WORKFLOW_YAML_REGEX = %r{\.github/workflows/.+\.ya?ml$}
+    # Matches .yml or .yaml files anywhere
+    ALL_YAML_FILES = %r{(?:^|/).+\.ya?ml$}
+
+    # The ecosystem name for GitHub Actions
+    ECOSYSTEM = T.let("github_actions", String)
+
+    # The pattern to match manifest files
+    MANIFEST_FILE_PATTERN = /\.ya?ml$/
+    # The name of the manifest file
+    MANIFEST_FILE_YML = T.let("action.yml", String)
+    # The name of the manifest file
+    MANIFEST_FILE_YAML = T.let("action.yaml", String)
+    # The pattern to match any .yml or .yaml file
+    ANYTHING_YML = T.let("<anything>.yml", String)
+    # The path to the workflow directory
+    WORKFLOW_DIRECTORY = T.let(".github/workflows", String)
+    # The path to the config .yml file
+    CONFIG_YMLS = T.let("#{WORKFLOW_DIRECTORY}/#{ANYTHING_YML}".freeze, String)
+
+    OWNER_KEY = T.let("owner", String)
+    REPO_KEY = T.let("repo", String)
+    REF_KEY = T.let("ref", String)
+    USES_KEY = T.let("uses", String)
+    STEPS_KEY = T.let("steps", String)
+  end
+end

data/lib/dependabot/github_actions/file_fetcher.rb

@@ -5,6 +5,7 @@ require "sorbet-runtime"
 
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/github_actions/constants"
 
 module Dependabot
   module GithubActions
@@ -12,11 +13,9 @@ module Dependabot
       extend T::Sig
       extend T::Helpers
 
-      FILENAME_PATTERN = /\.ya?ml$/
-
       sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
-        filenames.any? { |f| f.match?(FILENAME_PATTERN) }
+        filenames.any? { |f| f.match?(MANIFEST_FILE_PATTERN) }
       end
 
       sig { override.returns(String) }
@@ -49,9 +48,9 @@ module Dependabot
         if incorrectly_encoded_workflow_files.none?
           expected_paths =
             if directory == "/"
-              File.join(directory, "action.yml") + " or /.github/workflows/<anything>.yml"
+              File.join(directory, MANIFEST_FILE_YML) + " or /#{CONFIG_YMLS}"
             else
-              File.join(directory, "<anything>.yml")
+              File.join(directory, ANYTHING_YML)
             end
 
           raise(
@@ -75,16 +74,19 @@ module Dependabot
         # In the special case where the root directory is defined we also scan
         # the .github/workflows/ folder.
         if directory == "/"
-          @workflow_files += [fetch_file_if_present("action.yml"), fetch_file_if_present("action.yaml")].compact
+          @workflow_files += [
+            fetch_file_if_present(MANIFEST_FILE_YML),
+            fetch_file_if_present(MANIFEST_FILE_YAML)
+          ].compact
 
-          workflows_dir = ".github/workflows"
+          workflows_dir = WORKFLOW_DIRECTORY
         else
           workflows_dir = "."
         end
 
         @workflow_files +=
           repo_contents(dir: workflows_dir, raise_errors: false)
-          .select { |f| f.type == "file" && f.name.match?(FILENAME_PATTERN) }
+          .select { |f| f.type == "file" && f.name.match?(MANIFEST_FILE_PATTERN) }
           .map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
       end
 

data/lib/dependabot/github_actions/file_parser.rb

@@ -8,7 +8,9 @@ require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/version"
+require "dependabot/github_actions/package_manager"
 
 # For docs, see
 # https://help.github.com/en/articles/configuring-a-workflow#referencing-actions-in-your-workflow
@@ -20,13 +22,6 @@ module Dependabot
 
       require "dependabot/file_parsers/base/dependency_set"
 
-      GITHUB_REPO_REFERENCE = %r{
-        ^(?<owner>[\w.-]+)/
-        (?<repo>[\w.-]+)
-        (?<path>/[^\@]+)?
-        @(?<ref>.+)
-      }x
-
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
@@ -35,17 +30,27 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
 
-        dependencies_without_version = dependency_set.dependencies.select { |dep| dep.version.nil? }
-        unless dependencies_without_version.empty?
-          raise UnresolvableVersionError,
-                dependencies_without_version.map(&:name)
-        end
-
         dependency_set.dependencies
       end
 
+      sig { returns(Ecosystem) }
+      def ecosystem
+        @ecosystem ||= T.let(
+          Ecosystem.new(
+            name: ECOSYSTEM,
+            package_manager: package_manager
+          ),
+          T.nilable(Ecosystem)
+        )
+      end
+
       private
 
+      sig { returns(Ecosystem::VersionManager) }
+      def package_manager
+        @package_manager ||= T.let(PackageManager.new, T.nilable(Dependabot::GithubActions::PackageManager))
+      end
+
       sig { params(file: Dependabot::DependencyFile).returns(Dependabot::FileParsers::Base::DependencySet) }
       def workfile_file_dependencies(file)
         dependency_set = DependencySet.new
@@ -94,20 +99,20 @@ module Dependabot
 
       sig { params(file: Dependabot::DependencyFile, string: String).returns(Dependabot::Dependency) }
       def build_github_dependency(file, string)
-        unless source&.hostname == "github.com"
+        unless source&.hostname == GITHUB_COM
           dep = github_dependency(file, string, T.must(source).hostname)
           git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
           return dep if git_checker.git_repo_reachable?
         end
 
-        github_dependency(file, string, "github.com")
+        github_dependency(file, string, GITHUB_COM)
       end
 
       sig { params(file: Dependabot::DependencyFile, string: String, hostname: String).returns(Dependabot::Dependency) }
       def github_dependency(file, string, hostname)
         details = T.must(string.match(GITHUB_REPO_REFERENCE)).named_captures
-        name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
-        ref = details.fetch("ref")
+        name = "#{details.fetch(OWNER_KEY)}/#{details.fetch(REPO_KEY)}"
+        ref = details.fetch(REF_KEY)
         version = version_class.new(ref).to_s if version_class.correct?(ref)
         Dependency.new(
           name: name,
@@ -124,7 +129,7 @@ module Dependabot
             file: file.name,
             metadata: { declaration_string: string }
           }],
-          package_manager: "github_actions"
+          package_manager: PackageManager::NAME
         )
       end
 
@@ -139,11 +144,11 @@ module Dependabot
 
       sig { params(json_object: T::Hash[String, T.untyped], found_uses: T::Array[String]).returns(T::Array[String]) }
       def deep_fetch_uses_from_hash(json_object, found_uses)
-        if json_object.key?("uses")
-          found_uses << json_object["uses"]
-        elsif json_object.key?("steps")
+        if json_object.key?(USES_KEY)
+          found_uses << json_object[USES_KEY]
+        elsif json_object.key?(STEPS_KEY)
           # Bypass other fields as uses are under steps if they exist
-          deep_fetch_uses(json_object["steps"], found_uses)
+          deep_fetch_uses(json_object[STEPS_KEY], found_uses)
         else
           json_object.values.flat_map { |obj| deep_fetch_uses(obj, found_uses) }
         end

data/lib/dependabot/github_actions/file_updater.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
+require "dependabot/github_actions/constants"
 
 module Dependabot
   module GithubActions
@@ -16,10 +17,10 @@ module Dependabot
       def self.updated_files_regex
         [
           # Matches .yml or .yaml files in the .github/workflows directories
-          %r{\.github/workflows/.+\.ya?ml$},
+          WORKFLOW_YAML_REGEX,
 
           # Matches .yml or .yaml files in the root directory or any subdirectory
-          %r{(?:^|/).+\.ya?ml$}
+          ALL_YAML_FILES
         ]
       end
 

data/lib/dependabot/github_actions/metadata_finder.rb

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
-
+require "dependabot/github_actions/constants"
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 
@@ -19,7 +19,7 @@ module Dependabot
 
         url =
           if info.nil?
-            "https://github.com/#{dependency.name}"
+            "https://#{GITHUB_COM}/#{dependency.name}"
           else
             info[:url] || info.fetch("url")
           end

data/lib/dependabot/github_actions/package_manager.rb

@@ -0,0 +1,40 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/github_actions/constants"
+require "dependabot/github_actions/version"
+require "dependabot/ecosystem"
+require "dependabot/github_actions/requirement"
+
+module Dependabot
+  module GithubActions
+    class PackageManager < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      # The package manager name for GitHub Actions
+      NAME = T.let("github_actions", String)
+
+      # The version of the package manager
+      VERSION = T.let("1.0.0", String)
+
+      sig { void }
+      def initialize
+        super(
+          name: NAME,
+          version: Version.new(VERSION)
+      )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/github_actions/update_checker.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 
 require "dependabot/errors"
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/requirement"
 require "dependabot/github_actions/version"
 require "dependabot/update_checkers"

data/lib/dependabot/github_actions.rb

@@ -3,6 +3,7 @@
 
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
+require "dependabot/github_actions/constants"
 require "dependabot/github_actions/file_fetcher"
 require "dependabot/github_actions/file_parser"
 require "dependabot/github_actions/update_checker"
@@ -10,6 +11,7 @@ require "dependabot/github_actions/file_updater"
 require "dependabot/github_actions/metadata_finder"
 require "dependabot/github_actions/requirement"
 require "dependabot/github_actions/version"
+require "dependabot/github_actions/package_manager"
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.291.0
+  version: 0.293.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -243,10 +243,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/dependabot/github_actions.rb
+- lib/dependabot/github_actions/constants.rb
 - lib/dependabot/github_actions/file_fetcher.rb
 - lib/dependabot/github_actions/file_parser.rb
 - lib/dependabot/github_actions/file_updater.rb
 - lib/dependabot/github_actions/metadata_finder.rb
+- lib/dependabot/github_actions/package_manager.rb
 - lib/dependabot/github_actions/requirement.rb
 - lib/dependabot/github_actions/update_checker.rb
 - lib/dependabot/github_actions/version.rb
@@ -255,7 +257,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.291.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -271,7 +273,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for GitHub Actions