dependabot-github_actions 0.368.0 → 0.369.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2c6e673a88e40431d523e83cede3408e17fb7a31a283700e03db8298647cd5e6
|
|
4
|
+
data.tar.gz: 7728581d335018578ecad6c8e5cfc3a3fb9f3c9713a47496a89ddd8ff96c9261
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2bf2a6c8f67cf959f136d51e51acf805148cbaaa2e7534d6976976694ed3de6cb8725bc57f9bd497b079de6537a7602b71cbdf64b47e95f7625efc21d765b7fe
|
|
7
|
+
data.tar.gz: cc646daed9e46c070bafb8367e44b9f82a7c8f1c4c2190ea91b4eb680686370f375b1a374e4f193d6f43404facb7867e6f6b861741a6efb675725df786c99fb8
|
|
@@ -8,6 +8,7 @@ require "sorbet-runtime"
|
|
|
8
8
|
require "time"
|
|
9
9
|
|
|
10
10
|
require "dependabot/errors"
|
|
11
|
+
require "dependabot/git_tag_with_detail"
|
|
11
12
|
require "dependabot/github_actions/helpers"
|
|
12
13
|
require "dependabot/github_actions/requirement"
|
|
13
14
|
require "dependabot/github_actions/update_checker"
|
|
@@ -16,6 +17,7 @@ require "dependabot/package/package_details"
|
|
|
16
17
|
require "dependabot/package/package_release"
|
|
17
18
|
require "dependabot/registry_client"
|
|
18
19
|
require "dependabot/shared_helpers"
|
|
20
|
+
require "dependabot/source"
|
|
19
21
|
|
|
20
22
|
module Dependabot
|
|
21
23
|
module GithubActions
|
|
@@ -127,6 +129,54 @@ module Dependabot
|
|
|
127
129
|
)
|
|
128
130
|
end
|
|
129
131
|
|
|
132
|
+
sig { returns(T::Array[Dependabot::GitTagWithDetail]) }
|
|
133
|
+
def fetch_tag_and_release_date
|
|
134
|
+
allowed_version_tags = git_commit_checker.allowed_version_tags
|
|
135
|
+
allowed_tag_names = Set.new(allowed_version_tags.map(&:name))
|
|
136
|
+
|
|
137
|
+
# Use the shared GitCommitChecker#refs_for_tag_with_detail to fetch all tags
|
|
138
|
+
# with release dates in a single clone (instead of one clone per tag)
|
|
139
|
+
all_refs_with_detail = git_commit_checker.refs_for_tag_with_detail
|
|
140
|
+
|
|
141
|
+
result = all_refs_with_detail.select do |ref|
|
|
142
|
+
allowed_tag_names.include?(ref.tag)
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
# Log an error if we couldn't fetch any release dates
|
|
146
|
+
if result.empty? && allowed_version_tags.any?
|
|
147
|
+
Dependabot.logger.error("Error fetching tag and release date: unable to fetch for allowed tags")
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
result
|
|
151
|
+
rescue StandardError => e
|
|
152
|
+
Dependabot.logger.error("Error fetching tag and release date: #{e.message}")
|
|
153
|
+
[]
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
sig do
|
|
157
|
+
returns(T::Array[T::Hash[Symbol, T.untyped]])
|
|
158
|
+
end
|
|
159
|
+
def allowed_version_tags_with_release_dates
|
|
160
|
+
allowed_version_tags_hashes = git_commit_checker.local_tags_for_allowed_versions
|
|
161
|
+
tag_to_release_date = T.let({}, T::Hash[String, T.nilable(String)])
|
|
162
|
+
|
|
163
|
+
# Build a map of tag names to release dates for quick lookup
|
|
164
|
+
fetch_tag_and_release_date.each do |git_tag_with_detail|
|
|
165
|
+
tag_to_release_date[git_tag_with_detail.tag] = git_tag_with_detail.release_date
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
# Combine version info with release dates and sort by version descending
|
|
169
|
+
result = allowed_version_tags_hashes.map do |tag_hash|
|
|
170
|
+
tag_name = tag_hash.fetch(:tag)
|
|
171
|
+
tag_hash.merge(
|
|
172
|
+
release_date: tag_to_release_date[tag_name]
|
|
173
|
+
)
|
|
174
|
+
end
|
|
175
|
+
|
|
176
|
+
# Sort by version descending (newest first)
|
|
177
|
+
result.sort_by { |tag_hash| tag_hash.fetch(:version) }.reverse
|
|
178
|
+
end
|
|
179
|
+
|
|
130
180
|
private
|
|
131
181
|
|
|
132
182
|
sig { returns(Dependabot::GitCommitChecker) }
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
-
require "excon"
|
|
5
4
|
require "sorbet-runtime"
|
|
6
5
|
|
|
7
6
|
require "dependabot/errors"
|
|
@@ -12,6 +11,7 @@ require "dependabot/github_actions/update_checker"
|
|
|
12
11
|
require "dependabot/github_actions/helpers"
|
|
13
12
|
require "dependabot/package/package_latest_version_finder"
|
|
14
13
|
require "dependabot/shared_helpers"
|
|
14
|
+
require "dependabot/update_checkers/cooldown_calculation"
|
|
15
15
|
require "dependabot/update_checkers/version_filters"
|
|
16
16
|
|
|
17
17
|
module Dependabot
|
|
@@ -106,7 +106,7 @@ module Dependabot
|
|
|
106
106
|
|
|
107
107
|
sig { returns(T.nilable(Dependabot::GithubActions::Package::PackageDetailsFetcher)) }
|
|
108
108
|
def package_details_fetcher
|
|
109
|
-
@package_details_fetcher
|
|
109
|
+
@package_details_fetcher ||= T.let(
|
|
110
110
|
Dependabot::GithubActions::Package::PackageDetailsFetcher
|
|
111
111
|
.new(
|
|
112
112
|
dependency: dependency,
|
|
@@ -157,19 +157,58 @@ module Dependabot
|
|
|
157
157
|
return release unless cooldown_options
|
|
158
158
|
|
|
159
159
|
Dependabot.logger.info("Initializing cooldown filter")
|
|
160
|
-
release_date = commit_metadata_details
|
|
161
160
|
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
161
|
+
# If the proposed release is a commit SHA (String), check its date against cooldown
|
|
162
|
+
if release.is_a?(String)
|
|
163
|
+
Dependabot.logger.info("Checking cooldown for commit SHA: #{release}")
|
|
164
|
+
return release unless check_if_version_in_cooldown_period?(commit_metadata_details)
|
|
166
165
|
|
|
167
|
-
|
|
168
|
-
Dependabot.logger.info("
|
|
166
|
+
# Proposed SHA is in cooldown; for a SHA-based proposal, return nil (don't fall back to tags)
|
|
167
|
+
Dependabot.logger.info("Proposed commit SHA is in cooldown, returning nil")
|
|
169
168
|
return nil
|
|
170
169
|
end
|
|
171
170
|
|
|
172
|
-
release
|
|
171
|
+
# For version tag proposals, fetch all allowed versions with release dates (single clone)
|
|
172
|
+
# This reuses a single GitCommitChecker instance within package_details_fetcher
|
|
173
|
+
allowed_versions_with_dates = T.must(package_details_fetcher).allowed_version_tags_with_release_dates
|
|
174
|
+
tags_in_cooldown = Set.new(select_version_tags_in_cooldown_period(allowed_versions_with_dates))
|
|
175
|
+
return release if tags_in_cooldown.empty?
|
|
176
|
+
|
|
177
|
+
# Walk through all allowed version tags in descending order (newest first)
|
|
178
|
+
# and return the first one NOT in cooldown
|
|
179
|
+
allowed_versions_with_dates.each do |tag_info|
|
|
180
|
+
tag_name = tag_info.fetch(:tag)
|
|
181
|
+
next if tags_in_cooldown.include?(tag_name)
|
|
182
|
+
|
|
183
|
+
# Found a version not in cooldown, return it
|
|
184
|
+
version = tag_info.fetch(:version)
|
|
185
|
+
Dependabot.logger.info("Found acceptable version outside cooldown: #{version}")
|
|
186
|
+
return version
|
|
187
|
+
end
|
|
188
|
+
|
|
189
|
+
# All versions are in cooldown, return nil to fallback to current version
|
|
190
|
+
Dependabot.logger.info("All versions are in cooldown period, returning current version")
|
|
191
|
+
nil
|
|
192
|
+
end
|
|
193
|
+
|
|
194
|
+
sig do
|
|
195
|
+
params(
|
|
196
|
+
tags_with_dates: T.nilable(
|
|
197
|
+
T.any(T::Array[Dependabot::GitTagWithDetail], T::Array[T::Hash[Symbol, T.untyped]])
|
|
198
|
+
)
|
|
199
|
+
).returns(T::Array[String])
|
|
200
|
+
end
|
|
201
|
+
def select_version_tags_in_cooldown_period(tags_with_dates = nil)
|
|
202
|
+
tags_to_check = tags_with_dates || T.must(package_details_fetcher).fetch_tag_and_release_date
|
|
203
|
+
# Handle both GitTagWithDetail objects and hashes with release_date
|
|
204
|
+
in_cooldown = tags_to_check.select do |tag|
|
|
205
|
+
release_date = tag.is_a?(Hash) ? tag.fetch(:release_date, nil) : tag.release_date
|
|
206
|
+
check_if_version_in_cooldown_period?(release_date)
|
|
207
|
+
end
|
|
208
|
+
in_cooldown.map { |tag| tag.is_a?(Hash) ? tag.fetch(:tag) : tag.tag }
|
|
209
|
+
rescue StandardError => e
|
|
210
|
+
Dependabot.logger.error("Error checking if version is in cooldown (using empty filter): #{e.message}")
|
|
211
|
+
[]
|
|
173
212
|
end
|
|
174
213
|
|
|
175
214
|
sig { returns(T.nilable(String)) }
|
|
@@ -193,8 +232,8 @@ module Dependabot
|
|
|
193
232
|
end
|
|
194
233
|
end
|
|
195
234
|
rescue StandardError => e
|
|
196
|
-
|
|
197
|
-
Dependabot.logger.
|
|
235
|
+
msg = "Error (github actions) while checking release date for #{dependency.name}: #{e.message}"
|
|
236
|
+
Dependabot.logger.warn(msg)
|
|
198
237
|
|
|
199
238
|
nil
|
|
200
239
|
end,
|
|
@@ -202,21 +241,30 @@ module Dependabot
|
|
|
202
241
|
)
|
|
203
242
|
end
|
|
204
243
|
|
|
205
|
-
sig { params(release_date:
|
|
206
|
-
def
|
|
207
|
-
|
|
244
|
+
sig { params(release_date: T.nilable(String)).returns(T::Boolean) }
|
|
245
|
+
def check_if_version_in_cooldown_period?(release_date)
|
|
246
|
+
return false unless release_date&.length&.positive?
|
|
247
|
+
return false unless cooldown_options
|
|
248
|
+
return false unless T.must(cooldown_options).included?(dependency.name)
|
|
208
249
|
|
|
209
|
-
|
|
250
|
+
release_time = Time.parse(T.must(release_date))
|
|
251
|
+
cooldown_days = T.must(cooldown_options).default_days
|
|
210
252
|
|
|
211
|
-
|
|
212
|
-
|
|
253
|
+
is_in_cooldown = Dependabot::UpdateCheckers::CooldownCalculation.within_cooldown_window?(
|
|
254
|
+
release_time,
|
|
255
|
+
cooldown_days
|
|
256
|
+
)
|
|
213
257
|
|
|
258
|
+
passed_seconds = Time.now.to_i - release_time.to_i
|
|
259
|
+
days_since = passed_seconds / Dependabot::UpdateCheckers::CooldownCalculation::DAY_IN_SECONDS
|
|
214
260
|
Dependabot.logger.info(
|
|
215
|
-
"Days since release : #{
|
|
216
|
-
"(cooldown days #{T.must(cooldown_options).default_days})"
|
|
261
|
+
"Days since release : #{days_since} (cooldown days #{cooldown_days})"
|
|
217
262
|
)
|
|
218
263
|
|
|
219
|
-
|
|
264
|
+
is_in_cooldown
|
|
265
|
+
rescue StandardError => e
|
|
266
|
+
Dependabot.logger.debug("Error parsing release date: #{e.message}")
|
|
267
|
+
false
|
|
220
268
|
end
|
|
221
269
|
|
|
222
270
|
sig { returns(String) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-github_actions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.369.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.369.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.369.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -259,7 +259,7 @@ licenses:
|
|
|
259
259
|
- MIT
|
|
260
260
|
metadata:
|
|
261
261
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
262
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
262
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.369.0
|
|
263
263
|
rdoc_options: []
|
|
264
264
|
require_paths:
|
|
265
265
|
- lib
|