RubyGems - dependabot-github_actions - Versions diffs - 0.217.0 → 0.218.0 - Mend

dependabot-github_actions 0.217.0 → 0.218.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/github_actions/file_parser.rb +14 -18
data/lib/dependabot/github_actions/update_checker.rb +27 -39
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 36d47c58a74536e6423d1ceed66e879b3a19a349c14b680dde9b789df892deb6
-  data.tar.gz: deddf60f40c8883688e25616c1b05e0a628e27834ffbaa1b35e3b2d0214650aa
+  metadata.gz: e572366ec31aad3a9a81d885366d8f8a8da20b121645132818136daf35577a92
+  data.tar.gz: 69f81b7c6572274ec99770ffc42a1491ab5cd3dfa927a6ae6a6b815a9454f4e0
 SHA512:
-  metadata.gz: 71d251a430b31da476e7117bc3d2c2cc3d4d948d9a9ff307aba00f1cb83b2397b013947d59c471ee9f7285f0c07bc6fc3974df62a179b706be3c26f8801f3d99
-  data.tar.gz: f1207b632a941805f9368459d1f2d0b558ffcafea5f124bad42450f89e9c9f110d24000f92be3813630c7ce1b2d41205872ab4fad5e83c4df0a81653a97cc204
+  metadata.gz: c9d3c98345bf80e8fd28bf3754df8ce475c25893c7e1c4195ba850806acbb745468f322cff6117fbd947c0b8379b1d162e79df9458e5f35d13cb2bdb1a592bc3
+  data.tar.gz: cd344105c6690f8822b4c5299f3e8df1362d843d78a8b1da743b4e1cc6477d6c313bdeb9af60fb85c829b332c779f7c131ccf226304e44ec4159db4e2872341a

data/lib/dependabot/github_actions/file_parser.rb CHANGED Viewed

@@ -30,7 +30,6 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
-        resolve_git_tags(dependency_set)
         dependency_set.dependencies
       end
@@ -52,6 +51,20 @@ module Dependabot
           git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
           next unless git_checker.pinned?
+          # If dep does not have an assigned (semver) version, look for a commit that references a semver tag
+          unless dep.version
+            resolved = git_checker.local_tag_for_pinned_sha
+            if resolved && version_class.correct?(resolved)
+              dep = Dependency.new(
+                name: dep.name,
+                version: version_class.new(resolved).to_s,
+                requirements: dep.requirements,
+                package_manager: dep.package_manager
+              )
+            end
+          end
           dependency_set << dep
         end
@@ -102,23 +115,6 @@ module Dependabot
         end
       end
-      def resolve_git_tags(dependency_set)
-        # Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
-        resolved = dependency_set.dependencies.map do |dep|
-          next unless dep.version.nil?
-          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
-          resolved = git_checker.local_tag_for_pinned_sha
-          next if resolved.nil? || !version_class.correct?(resolved)
-          # Build a Dependency with the resolved version, and rely on DependencySet's merge
-          Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
-                         package_manager: dep.package_manager, requirements: [])
-        end
-        resolved.compact.each { |dep| dependency_set << dep }
-      end
       def deep_fetch_uses_from_hash(json_object, found_uses)
         if json_object.key?("uses")
           found_uses << json_object["uses"]

data/lib/dependabot/github_actions/update_checker.rb CHANGED Viewed

@@ -34,19 +34,23 @@ module Dependabot
       end
       def updated_requirements
-        previous = dependency_source_details
-        updated = updated_source
-        # Maintain a short git hash only if it matches the latest
-        if previous[:type] == "git" &&
-           previous[:url] == updated[:url] &&
-           updated[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
-           previous[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
-           updated[:ref]&.start_with?(previous[:ref])
-          return dependency.requirements
-        end
+        updated = updated_ref
+        dependency.requirements.map do |req|
+          next req unless updated
+          # Maintain a short git hash only if it matches the latest
+          if req[:type] == "git" &&
+             updated.match?(/^[0-9a-f]{6,40}$/) &&
+             req[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
+             updated.start_with?(req[:ref])
+            next req
+          end
-        dependency.requirements.map { |req| req.merge(source: updated) }
+          source = req[:source]
+          new_source = source.merge(ref: updated)
+          req.merge(source: new_source)
+        end
       end
       private
@@ -134,7 +138,7 @@ module Dependabot
           if head_commit_for_ref_sha
             head_commit_for_ref_sha
           else
-            url = dependency_source_details[:url]
+            url = git_commit_checker.dependency_source_details[:url]
             source = Source.from_url(url)
             SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
@@ -143,7 +147,7 @@ module Dependabot
               SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
               Dir.chdir(repo_contents_path) do
-                ref_branch = find_container_branch(dependency_source_details[:ref])
+                ref_branch = find_container_branch(git_commit_checker.dependency_source_details[:ref])
                 git_commit_checker.head_commit_for_local_branch(ref_branch)
               end
@@ -167,31 +171,31 @@ module Dependabot
           select { |tag| tag.fetch(:version) > current_version }
       end
-      def updated_source
+      def updated_ref
         # TODO: Support Docker sources
-        return dependency_source_details unless git_dependency?
+        return unless git_dependency?
         if vulnerable? &&
            (new_tag = lowest_security_fix_version_tag)
-          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          return new_tag.fetch(:tag)
         end
-        # Update the git tag if updating a pinned version
+        # Return the git tag if updating a pinned version
         if git_commit_checker.pinned_ref_looks_like_version? &&
            (new_tag = latest_version_tag) &&
            new_tag.fetch(:commit_sha) != current_commit
-          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          return new_tag.fetch(:tag)
         end
-        # Update the pinned git commit if one is available
+        # Return the pinned git commit if one is available
         if git_commit_checker.pinned_ref_looks_like_commit_sha? &&
            (new_commit_sha = latest_commit_sha) &&
            new_commit_sha != current_commit
-          return dependency_source_details.merge(ref: new_commit_sha)
+          return new_commit_sha
         end
-        # Otherwise return the original source
-        dependency_source_details
+        # Otherwise we can't update the ref
+        nil
       end
       def latest_commit_sha
@@ -205,22 +209,6 @@ module Dependabot
         end
       end
-      def dependency_source_details
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-        return sources.first if sources.count <= 1
-        # If there are multiple source types, or multiple source URLs, then it's
-        # unclear how we should proceed
-        raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s.fetch(:type), s[:url]] }.uniq.count > 1
-        # Otherwise it's reasonable to take the first source and use that. This
-        # will happen if we have multiple git sources with difference references
-        # specified. In that case it's fine to update them all.
-        sources.first
-      end
       def current_commit
         git_commit_checker.head_commit_for_current_branch
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.217.0
+  version: 0.218.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-24 00:00:00.000000000 Z
+date: 2023-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -226,8 +226,8 @@ homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
 metadata:
-  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.218.0
 post_install_message:
 rdoc_options: []
 require_paths: