dependabot-github_actions 0.215.0 → 0.216.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f50d0f9ef87a92d54dcd28af02468c93ab84eb5f9108a1471cefd2d329d256f4
|
|
4
|
+
data.tar.gz: 408d6ec533ffe80eb5c1f0a26075654366cea3d1af5ceda65e1a0a7a38cdc758
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9af2df8aceeb3953a214ae35bf16da2fde043c5e1b6256c855b5d9511c259c87b57291a21ee7cad9f0e3d088fc9fafc4f350656228f76a7b58d6f3bd0005cf50
|
|
7
|
+
data.tar.gz: 42904c5ad4be0418b06a5b17afb476121e95f4df2c89a8e85a85df05f5b838474591b438111fe2410e72d3f9f52792749cd3c84b44b84cb26150c95937eabe87
|
|
@@ -21,7 +21,6 @@ module Dependabot
|
|
|
21
21
|
def fetch_files
|
|
22
22
|
fetched_files = []
|
|
23
23
|
fetched_files += correctly_encoded_workflow_files
|
|
24
|
-
fetched_files += referenced_local_workflow_files
|
|
25
24
|
|
|
26
25
|
return fetched_files if fetched_files.any?
|
|
27
26
|
|
|
@@ -66,11 +65,6 @@ module Dependabot
|
|
|
66
65
|
map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
|
|
67
66
|
end
|
|
68
67
|
|
|
69
|
-
def referenced_local_workflow_files
|
|
70
|
-
# TODO: Fetch referenced local workflow files
|
|
71
|
-
[]
|
|
72
|
-
end
|
|
73
|
-
|
|
74
68
|
def correctly_encoded_workflow_files
|
|
75
69
|
workflow_files.select { |f| f.content.valid_encoding? }
|
|
76
70
|
end
|
|
@@ -17,7 +17,7 @@ module Dependabot
|
|
|
17
17
|
require "dependabot/file_parsers/base/dependency_set"
|
|
18
18
|
|
|
19
19
|
GITHUB_REPO_REFERENCE = %r{
|
|
20
|
-
(?<owner>[\w.-]+)/
|
|
20
|
+
^(?<owner>[\w.-]+)/
|
|
21
21
|
(?<repo>[\w.-]+)
|
|
22
22
|
(?<path>/[^\@]+)?
|
|
23
23
|
@(?<ref>.+)
|
|
@@ -40,11 +40,19 @@ module Dependabot
|
|
|
40
40
|
dependency_set = DependencySet.new
|
|
41
41
|
|
|
42
42
|
json = YAML.safe_load(file.content, aliases: true)
|
|
43
|
-
|
|
43
|
+
return dependency_set if json.nil?
|
|
44
|
+
|
|
45
|
+
uses_strings = deep_fetch_uses(json.fetch("jobs", json.fetch("runs", nil))).uniq
|
|
44
46
|
|
|
45
47
|
uses_strings.each do |string|
|
|
46
48
|
# TODO: Support Docker references and path references
|
|
47
|
-
|
|
49
|
+
next unless string.match?(GITHUB_REPO_REFERENCE)
|
|
50
|
+
|
|
51
|
+
dep = build_github_dependency(file, string)
|
|
52
|
+
git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
|
|
53
|
+
next unless git_checker.pinned?
|
|
54
|
+
|
|
55
|
+
dependency_set << dep
|
|
48
56
|
end
|
|
49
57
|
|
|
50
58
|
dependency_set
|
|
@@ -53,10 +61,18 @@ module Dependabot
|
|
|
53
61
|
end
|
|
54
62
|
|
|
55
63
|
def build_github_dependency(file, string)
|
|
64
|
+
unless source.hostname == "github.com"
|
|
65
|
+
dep = github_dependency(file, string, source.hostname)
|
|
66
|
+
git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
|
|
67
|
+
return dep if git_checker.git_repo_reachable?
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
github_dependency(file, string, "github.com")
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def github_dependency(file, string, hostname)
|
|
56
74
|
details = string.match(GITHUB_REPO_REFERENCE).named_captures
|
|
57
75
|
name = "#{details.fetch('owner')}/#{details.fetch('repo')}"
|
|
58
|
-
url = "https://#{source.hostname}/#{name}"
|
|
59
|
-
|
|
60
76
|
ref = details.fetch("ref")
|
|
61
77
|
version = version_class.new(ref).to_s if version_class.correct?(ref)
|
|
62
78
|
Dependency.new(
|
|
@@ -67,7 +83,7 @@ module Dependabot
|
|
|
67
83
|
groups: [],
|
|
68
84
|
source: {
|
|
69
85
|
type: "git",
|
|
70
|
-
url:
|
|
86
|
+
url: "https://#{hostname}/#{name}",
|
|
71
87
|
ref: ref,
|
|
72
88
|
branch: nil
|
|
73
89
|
},
|
|
@@ -78,10 +94,10 @@ module Dependabot
|
|
|
78
94
|
)
|
|
79
95
|
end
|
|
80
96
|
|
|
81
|
-
def deep_fetch_uses(json_obj)
|
|
97
|
+
def deep_fetch_uses(json_obj, found_uses = [])
|
|
82
98
|
case json_obj
|
|
83
|
-
when Hash then deep_fetch_uses_from_hash(json_obj)
|
|
84
|
-
when Array then json_obj.flat_map { |o| deep_fetch_uses(o) }
|
|
99
|
+
when Hash then deep_fetch_uses_from_hash(json_obj, found_uses)
|
|
100
|
+
when Array then json_obj.flat_map { |o| deep_fetch_uses(o, found_uses) }
|
|
85
101
|
else []
|
|
86
102
|
end
|
|
87
103
|
end
|
|
@@ -103,20 +119,17 @@ module Dependabot
|
|
|
103
119
|
resolved.compact.each { |dep| dependency_set << dep }
|
|
104
120
|
end
|
|
105
121
|
|
|
106
|
-
def deep_fetch_uses_from_hash(json_object)
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
[]
|
|
116
|
-
end
|
|
122
|
+
def deep_fetch_uses_from_hash(json_object, found_uses)
|
|
123
|
+
if json_object.key?("uses")
|
|
124
|
+
found_uses << json_object["uses"]
|
|
125
|
+
elsif json_object.key?("steps")
|
|
126
|
+
# Bypass other fields as uses are under steps if they exist
|
|
127
|
+
deep_fetch_uses(json_object["steps"], found_uses)
|
|
128
|
+
else
|
|
129
|
+
json_object.values.flat_map { |obj| deep_fetch_uses(obj, found_uses) }
|
|
130
|
+
end
|
|
117
131
|
|
|
118
|
-
|
|
119
|
-
json_object.values.flat_map { |obj| deep_fetch_uses(obj) }
|
|
132
|
+
found_uses
|
|
120
133
|
end
|
|
121
134
|
|
|
122
135
|
def workflow_files
|
|
@@ -33,10 +33,9 @@ module Dependabot
|
|
|
33
33
|
lowest_security_fix_version
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
-
def updated_requirements
|
|
36
|
+
def updated_requirements
|
|
37
37
|
previous = dependency_source_details
|
|
38
38
|
updated = updated_source
|
|
39
|
-
return dependency.requirements if updated == previous
|
|
40
39
|
|
|
41
40
|
# Maintain a short git hash only if it matches the latest
|
|
42
41
|
if previous[:type] == "git" &&
|
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "dependabot/version"
|
|
3
4
|
require "dependabot/utils"
|
|
4
5
|
|
|
5
6
|
module Dependabot
|
|
6
7
|
module GithubActions
|
|
7
|
-
class Version <
|
|
8
|
+
class Version < Dependabot::Version
|
|
8
9
|
def initialize(version)
|
|
9
10
|
version = Version.remove_leading_v(version)
|
|
10
11
|
super
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-github_actions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.216.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-04-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,28 +16,28 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.216.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.216.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- - "
|
|
31
|
+
- - "~>"
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
|
-
version: 1.
|
|
33
|
+
version: 1.7.1
|
|
34
34
|
type: :development
|
|
35
35
|
prerelease: false
|
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
37
|
requirements:
|
|
38
|
-
- - "
|
|
38
|
+
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
|
-
version: 1.
|
|
40
|
+
version: 1.7.1
|
|
41
41
|
- !ruby/object:Gem::Dependency
|
|
42
42
|
name: gpgme
|
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -58,14 +58,14 @@ dependencies:
|
|
|
58
58
|
requirements:
|
|
59
59
|
- - "~>"
|
|
60
60
|
- !ruby/object:Gem::Version
|
|
61
|
-
version: 4.
|
|
61
|
+
version: 4.2.0
|
|
62
62
|
type: :development
|
|
63
63
|
prerelease: false
|
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - "~>"
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
|
-
version: 4.
|
|
68
|
+
version: 4.2.0
|
|
69
69
|
- !ruby/object:Gem::Dependency
|
|
70
70
|
name: rake
|
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -86,70 +86,70 @@ dependencies:
|
|
|
86
86
|
requirements:
|
|
87
87
|
- - "~>"
|
|
88
88
|
- !ruby/object:Gem::Version
|
|
89
|
-
version: '3.
|
|
89
|
+
version: '3.12'
|
|
90
90
|
type: :development
|
|
91
91
|
prerelease: false
|
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
93
|
requirements:
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
|
-
version: '3.
|
|
96
|
+
version: '3.12'
|
|
97
97
|
- !ruby/object:Gem::Dependency
|
|
98
98
|
name: rspec-its
|
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
|
100
100
|
requirements:
|
|
101
101
|
- - "~>"
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: '1.
|
|
103
|
+
version: '1.3'
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: '1.
|
|
110
|
+
version: '1.3'
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: rubocop
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
|
114
114
|
requirements:
|
|
115
115
|
- - "~>"
|
|
116
116
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: 1.
|
|
117
|
+
version: 1.48.0
|
|
118
118
|
type: :development
|
|
119
119
|
prerelease: false
|
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
121
|
requirements:
|
|
122
122
|
- - "~>"
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: 1.
|
|
124
|
+
version: 1.48.0
|
|
125
125
|
- !ruby/object:Gem::Dependency
|
|
126
126
|
name: rubocop-performance
|
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
|
128
128
|
requirements:
|
|
129
129
|
- - "~>"
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 1.
|
|
131
|
+
version: 1.17.1
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - "~>"
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 1.
|
|
138
|
+
version: 1.17.1
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: simplecov
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
|
142
142
|
requirements:
|
|
143
143
|
- - "~>"
|
|
144
144
|
- !ruby/object:Gem::Version
|
|
145
|
-
version: 0.
|
|
145
|
+
version: 0.22.0
|
|
146
146
|
type: :development
|
|
147
147
|
prerelease: false
|
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
149
149
|
requirements:
|
|
150
150
|
- - "~>"
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
|
-
version: 0.
|
|
152
|
+
version: 0.22.0
|
|
153
153
|
- !ruby/object:Gem::Dependency
|
|
154
154
|
name: simplecov-console
|
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -182,33 +182,34 @@ dependencies:
|
|
|
182
182
|
name: vcr
|
|
183
183
|
requirement: !ruby/object:Gem::Requirement
|
|
184
184
|
requirements:
|
|
185
|
-
- -
|
|
185
|
+
- - "~>"
|
|
186
186
|
- !ruby/object:Gem::Version
|
|
187
|
-
version: 6.1
|
|
187
|
+
version: '6.1'
|
|
188
188
|
type: :development
|
|
189
189
|
prerelease: false
|
|
190
190
|
version_requirements: !ruby/object:Gem::Requirement
|
|
191
191
|
requirements:
|
|
192
|
-
- -
|
|
192
|
+
- - "~>"
|
|
193
193
|
- !ruby/object:Gem::Version
|
|
194
|
-
version: 6.1
|
|
194
|
+
version: '6.1'
|
|
195
195
|
- !ruby/object:Gem::Dependency
|
|
196
196
|
name: webmock
|
|
197
197
|
requirement: !ruby/object:Gem::Requirement
|
|
198
198
|
requirements:
|
|
199
199
|
- - "~>"
|
|
200
200
|
- !ruby/object:Gem::Version
|
|
201
|
-
version: '3.
|
|
201
|
+
version: '3.18'
|
|
202
202
|
type: :development
|
|
203
203
|
prerelease: false
|
|
204
204
|
version_requirements: !ruby/object:Gem::Requirement
|
|
205
205
|
requirements:
|
|
206
206
|
- - "~>"
|
|
207
207
|
- !ruby/object:Gem::Version
|
|
208
|
-
version: '3.
|
|
209
|
-
description:
|
|
210
|
-
|
|
211
|
-
|
|
208
|
+
version: '3.18'
|
|
209
|
+
description: Dependabot-GitHub_Actions provides support for bumping GitHub Actions
|
|
210
|
+
via Dependabot. If you want support for multiple package managers, you probably
|
|
211
|
+
want the meta-gem dependabot-omnibus.
|
|
212
|
+
email: opensource@github.com
|
|
212
213
|
executables: []
|
|
213
214
|
extensions: []
|
|
214
215
|
extra_rdoc_files: []
|
|
@@ -224,7 +225,9 @@ files:
|
|
|
224
225
|
homepage: https://github.com/dependabot/dependabot-core
|
|
225
226
|
licenses:
|
|
226
227
|
- Nonstandard
|
|
227
|
-
metadata:
|
|
228
|
+
metadata:
|
|
229
|
+
issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
230
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
|
|
228
231
|
post_install_message:
|
|
229
232
|
rdoc_options: []
|
|
230
233
|
require_paths:
|
|
@@ -240,8 +243,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
240
243
|
- !ruby/object:Gem::Version
|
|
241
244
|
version: 3.1.0
|
|
242
245
|
requirements: []
|
|
243
|
-
rubygems_version: 3.3.
|
|
246
|
+
rubygems_version: 3.3.26
|
|
244
247
|
signing_key:
|
|
245
248
|
specification_version: 4
|
|
246
|
-
summary:
|
|
249
|
+
summary: Provides Dependabot support for GitHub Actions
|
|
247
250
|
test_files: []
|