dependabot-github_actions 0.112.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5a3ec1ad6b33207b6d0973e12020412a62188e8b9b26c4280320e00ff659aa28
+  data.tar.gz: 1b0180a3946cd84dfe02b547a5e0036c40cabde26d91f9ec5410cd515583d23a
+SHA512:
+  metadata.gz: 107641af2a487bfd05182e3c76505a77f61d1da48e1a3f8b85e84e6164c5a3c0918d72bebc1f0923dfaa84107abd7a77681533adae7a18c928e50745734be419
+  data.tar.gz: e0d8681dd348e407476294903cde452d8ed2eb5374c27859a6340ab349251605278b83cc8262ee94bd2096f349d0a58bfc1f83db7b80b87c56acf44cd4846c10

data/lib/dependabot/github_actions/file_fetcher.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module GithubActions
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.any? { |f| f == ".github" }
+      end
+
+      def self.required_files_message
+        "Repo must contain a .github/workflows repo with YAML files."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files += correctly_encoded_workflow_files
+        fetched_files += referenced_local_workflow_files
+
+        return fetched_files if fetched_files.any?
+
+        if incorrectly_encoded_workflow_files.none?
+          raise(
+            Dependabot::DependencyFileNotFound,
+            File.join(directory, ".github/workflows/<anything>.yml")
+          )
+        else
+          raise(
+            Dependabot::DependencyFileNotParseable,
+            incorrectly_encoded_workflow_files.first.path
+          )
+        end
+      end
+
+      def workflow_files
+        @workflow_files ||=
+          repo_contents(dir: ".github/workflows", raise_errors: false).
+          select { |f| f.type == "file" && f.name.match?(/\.ya?ml$/) }.
+          map { |f| fetch_file_from_host(".github/workflows/#{f.name}") }
+      end
+
+      def referenced_local_workflow_files
+        # TODO: Fetch referenced local workflow files
+        []
+      end
+
+      def correctly_encoded_workflow_files
+        workflow_files.select { |f| f.content.valid_encoding? }
+      end
+
+      def incorrectly_encoded_workflow_files
+        workflow_files.reject { |f| f.content.valid_encoding? }
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.
+  register("github_actions", Dependabot::GithubActions::FileFetcher)

data/lib/dependabot/github_actions/file_parser.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/errors"
+
+# For docs, see
+# https://help.github.com/en/articles/configuring-a-workflow#referencing-actions-in-your-workflow
+module Dependabot
+  module GithubActions
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+
+      GITHUB_REPO_REFERENCE = %r{
+        (?<owner>[\w.-]+)/
+        (?<repo>[\w.-]+)
+        (?<path>/[^\@]+)?
+        @(?<ref>.+)
+      }x.freeze
+
+      def parse
+        dependency_set = DependencySet.new
+
+        workflow_files.each do |file|
+          dependency_set += workfile_file_dependencies(file)
+        end
+
+        dependency_set.dependencies
+      end
+
+      private
+
+      def workfile_file_dependencies(file)
+        dependency_set = DependencySet.new
+
+        json = YAML.safe_load(file.content, aliases: true)
+        uses_strings = deep_fetch_uses(json).uniq
+
+        uses_strings.each do |string|
+          # TODO: Support Docker references and path references
+          if string.match?(GITHUB_REPO_REFERENCE)
+            dependency_set << build_github_dependency(file, string)
+          end
+        end
+
+        dependency_set
+      rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias
+        raise Dependabot::DependencyFileNotParseable, file.path
+      end
+
+      def build_github_dependency(file, string)
+        details = string.match(GITHUB_REPO_REFERENCE).named_captures
+        name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
+        url = "https://github.com/#{name}"
+
+        Dependency.new(
+          name: name,
+          version: nil,
+          requirements: [{
+            requirement: nil,
+            groups: [],
+            source: {
+              type: "git",
+              url: url,
+              ref: details.fetch("ref"),
+              branch: nil
+            },
+            file: file.name,
+            metadata: { declaration_string: string }
+          }],
+          package_manager: "github_actions"
+        )
+      end
+
+      def deep_fetch_uses(json_obj)
+        case json_obj
+        when Hash then deep_fetch_uses_from_hash(json_obj)
+        when Array then json_obj.flat_map { |o| deep_fetch_uses(o) }
+        else []
+        end
+      end
+
+      def deep_fetch_uses_from_hash(json_object)
+        steps = json_object.fetch("steps", [])
+
+        uses_strings =
+          if steps.is_a?(Array) && steps.all? { |s| s.is_a?(Hash) }
+            steps.
+              map { |step| step.fetch("uses", nil) }.
+              select { |use| use.is_a?(String) }
+          else
+            []
+          end
+
+        uses_strings +
+          json_object.values.flat_map { |obj| deep_fetch_uses(obj) }
+      end
+
+      def workflow_files
+        # The file fetcher only fetches workflow files, so no need to
+        # filter here
+        dependency_files
+      end
+
+      def check_required_files
+        # Just check if there are any files at all.
+        return if dependency_files.any?
+
+        raise "No workflow files!"
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.
+  register("github_actions", Dependabot::GithubActions::FileParser)

data/lib/dependabot/github_actions/file_updater.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/errors"
+
+module Dependabot
+  module GithubActions
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      def self.updated_files_regex
+        [%r{\.github/workflows/.+\.ya?ml$}]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        dependency_files.each do |file|
+          next unless requirement_changed?(file, dependency)
+
+          updated_files <<
+            updated_file(
+              file: file,
+              content: updated_workflow_file_content(file)
+            )
+        end
+
+        updated_files.reject! { |f| dependency_files.include?(f) }
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def dependency
+        # GitHub Actions will only ever be updating a single dependency
+        dependencies.first
+      end
+
+      def check_required_files
+        # Just check if there are any files at all.
+        return if dependency_files.any?
+
+        raise "No workflow files!"
+      end
+
+      def updated_workflow_file_content(file)
+        updated_requirement_pairs =
+          dependency.requirements.zip(dependency.previous_requirements).
+          reject do |new_req, old_req|
+            next true if new_req[:file] != file.name
+
+            new_req[:source] == old_req[:source]
+          end
+
+        updated_content = file.content
+
+        updated_requirement_pairs.each do |new_req, old_req|
+          # TODO: Support updating Docker sources
+          next unless new_req.fetch(:source).fetch(:type) == "git"
+
+          old_declaration = old_req.fetch(:metadata).fetch(:declaration_string)
+          new_declaration =
+            old_declaration.
+            gsub(/@.*+/, "@#{new_req.fetch(:source).fetch(:ref)}")
+
+          updated_content = updated_content.
+                            gsub(old_declaration, new_declaration)
+        end
+
+        updated_content
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("github_actions", Dependabot::GithubActions::FileUpdater)

data/lib/dependabot/github_actions/metadata_finder.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+
+module Dependabot
+  module GithubActions
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        url = info[:url] || info.fetch("url")
+        Source.from_url(url)
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("github_actions", Dependabot::GithubActions::MetadataFinder)

data/lib/dependabot/github_actions/requirement.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+
+module Dependabot
+  module GithubActions
+    # Lifted from the bundler package manager
+    class Requirement < Gem::Requirement
+      # For consistency with other langauges, we define a requirements array.
+      # Ruby doesn't have an `OR` separator for requirements, so it always
+      # contains a single element.
+      def self.requirements_array(requirement_string)
+        [new(requirement_string)]
+      end
+
+      # Patches Gem::Requirement to make it accept requirement strings like
+      # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          req_string.split(",")
+        end
+
+        super(requirements)
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_requirement_class(
+  "github_actions",
+  Dependabot::GithubActions::Requirement
+)

data/lib/dependabot/github_actions/update_checker.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/errors"
+require "dependabot/github_actions/version"
+require "dependabot/github_actions/requirement"
+
+module Dependabot
+  module GithubActions
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      def latest_version
+        @latest_version ||= fetch_latest_version
+      end
+
+      def latest_resolvable_version
+        # Resolvability isn't an issue for GitHub Actions.
+        latest_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        # No concept of "unlocking" for GitHub Actions (since no lockfile)
+        dependency.version
+      end
+
+      def updated_requirements
+        dependency.requirements.map { |req| req.merge(source: updated_source) }
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't relevant for GitHub Actions
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def fetch_latest_version
+        # TODO: Support Docker sources
+        return unless git_dependency?
+
+        fetch_latest_version_for_git_dependency
+      end
+
+      def fetch_latest_version_for_git_dependency
+        unless git_commit_checker.pinned?
+          return git_commit_checker.head_commit_for_current_branch
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version
+          return latest_tag&.fetch(:commit_sha) || dependency.version
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        #
+        # TODO: Treat refs that look like SHAs differently
+        dependency.version
+      end
+
+      def updated_source
+        # TODO: Support Docker sources
+        return dependency_source_details unless git_dependency?
+
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           git_commit_checker.local_tag_for_latest_version
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+
+        # Otherwise return the original source
+        dependency_source_details
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        return sources.first if sources.count <= 1
+
+        # If there are multiple source types, or multiple source URLs, then it's
+        # unclear how we should proceed
+        if sources.map { |s| [s.fetch(:type), s[:url]] }.uniq.count > 1
+          raise "Multiple sources! #{sources.join(', ')}"
+        end
+
+        # Otherwise it's reasonable to take the first source and use that. This
+        # will happen if we have multiple git sources with difference references
+        # specified. In that case it's fine to update them all.
+        sources.first
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||= Dependabot::GitCommitChecker.new(
+          dependency: dependency,
+          credentials: credentials,
+          ignored_versions: ignored_versions
+        )
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.
+  register("github_actions", Dependabot::GithubActions::UpdateChecker)

data/lib/dependabot/github_actions/version.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+
+module Dependabot
+  module GithubActions
+    class Version < Gem::Version
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_version_class("github_actions", Dependabot::GithubActions::Version)

data/lib/dependabot/github_actions.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/github_actions/file_fetcher"
+require "dependabot/github_actions/file_parser"
+require "dependabot/github_actions/update_checker"
+require "dependabot/github_actions/file_updater"
+require "dependabot/github_actions/metadata_finder"
+require "dependabot/github_actions/requirement"
+require "dependabot/github_actions/version"
+
+require "dependabot/pull_request_creator/labeler"
+Dependabot::PullRequestCreator::Labeler.
+  register_label_details(
+    "github_actions",
+    name: "github_actions",
+    colour: "000000"
+  )
+
+require "dependabot/dependency"
+Dependabot::Dependency.
+  register_production_check("github_actions", ->(_) { true })

metadata

@@ -0,0 +1,177 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-github_actions
+version: !ruby/object:Gem::Version
+  version: 0.112.1
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-common
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.112.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.112.1
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.74.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.74.0
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/dependabot/github_actions.rb
+- lib/dependabot/github_actions/file_fetcher.rb
+- lib/dependabot/github_actions/file_parser.rb
+- lib/dependabot/github_actions/file_updater.rb
+- lib/dependabot/github_actions/metadata_finder.rb
+- lib/dependabot/github_actions/requirement.rb
+- lib/dependabot/github_actions/update_checker.rb
+- lib/dependabot/github_actions/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: GitHub Actions support for dependabot-common
+test_files: []