dependabot-github_actions 0.217.0 → 0.218.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/github_actions/file_parser.rb +14 -18
- data/lib/dependabot/github_actions/update_checker.rb +27 -39
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e572366ec31aad3a9a81d885366d8f8a8da20b121645132818136daf35577a92
|
4
|
+
data.tar.gz: 69f81b7c6572274ec99770ffc42a1491ab5cd3dfa927a6ae6a6b815a9454f4e0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c9d3c98345bf80e8fd28bf3754df8ce475c25893c7e1c4195ba850806acbb745468f322cff6117fbd947c0b8379b1d162e79df9458e5f35d13cb2bdb1a592bc3
|
7
|
+
data.tar.gz: cd344105c6690f8822b4c5299f3e8df1362d843d78a8b1da743b4e1cc6477d6c313bdeb9af60fb85c829b332c779f7c131ccf226304e44ec4159db4e2872341a
|
@@ -30,7 +30,6 @@ module Dependabot
|
|
30
30
|
dependency_set += workfile_file_dependencies(file)
|
31
31
|
end
|
32
32
|
|
33
|
-
resolve_git_tags(dependency_set)
|
34
33
|
dependency_set.dependencies
|
35
34
|
end
|
36
35
|
|
@@ -52,6 +51,20 @@ module Dependabot
|
|
52
51
|
git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
|
53
52
|
next unless git_checker.pinned?
|
54
53
|
|
54
|
+
# If dep does not have an assigned (semver) version, look for a commit that references a semver tag
|
55
|
+
unless dep.version
|
56
|
+
resolved = git_checker.local_tag_for_pinned_sha
|
57
|
+
|
58
|
+
if resolved && version_class.correct?(resolved)
|
59
|
+
dep = Dependency.new(
|
60
|
+
name: dep.name,
|
61
|
+
version: version_class.new(resolved).to_s,
|
62
|
+
requirements: dep.requirements,
|
63
|
+
package_manager: dep.package_manager
|
64
|
+
)
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
55
68
|
dependency_set << dep
|
56
69
|
end
|
57
70
|
|
@@ -102,23 +115,6 @@ module Dependabot
|
|
102
115
|
end
|
103
116
|
end
|
104
117
|
|
105
|
-
def resolve_git_tags(dependency_set)
|
106
|
-
# Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
|
107
|
-
resolved = dependency_set.dependencies.map do |dep|
|
108
|
-
next unless dep.version.nil?
|
109
|
-
|
110
|
-
git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
|
111
|
-
resolved = git_checker.local_tag_for_pinned_sha
|
112
|
-
next if resolved.nil? || !version_class.correct?(resolved)
|
113
|
-
|
114
|
-
# Build a Dependency with the resolved version, and rely on DependencySet's merge
|
115
|
-
Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
|
116
|
-
package_manager: dep.package_manager, requirements: [])
|
117
|
-
end
|
118
|
-
|
119
|
-
resolved.compact.each { |dep| dependency_set << dep }
|
120
|
-
end
|
121
|
-
|
122
118
|
def deep_fetch_uses_from_hash(json_object, found_uses)
|
123
119
|
if json_object.key?("uses")
|
124
120
|
found_uses << json_object["uses"]
|
@@ -34,19 +34,23 @@ module Dependabot
|
|
34
34
|
end
|
35
35
|
|
36
36
|
def updated_requirements
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
37
|
+
updated = updated_ref
|
38
|
+
|
39
|
+
dependency.requirements.map do |req|
|
40
|
+
next req unless updated
|
41
|
+
|
42
|
+
# Maintain a short git hash only if it matches the latest
|
43
|
+
if req[:type] == "git" &&
|
44
|
+
updated.match?(/^[0-9a-f]{6,40}$/) &&
|
45
|
+
req[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
|
46
|
+
updated.start_with?(req[:ref])
|
47
|
+
next req
|
48
|
+
end
|
48
49
|
|
49
|
-
|
50
|
+
source = req[:source]
|
51
|
+
new_source = source.merge(ref: updated)
|
52
|
+
req.merge(source: new_source)
|
53
|
+
end
|
50
54
|
end
|
51
55
|
|
52
56
|
private
|
@@ -134,7 +138,7 @@ module Dependabot
|
|
134
138
|
if head_commit_for_ref_sha
|
135
139
|
head_commit_for_ref_sha
|
136
140
|
else
|
137
|
-
url = dependency_source_details[:url]
|
141
|
+
url = git_commit_checker.dependency_source_details[:url]
|
138
142
|
source = Source.from_url(url)
|
139
143
|
|
140
144
|
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
@@ -143,7 +147,7 @@ module Dependabot
|
|
143
147
|
SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
|
144
148
|
|
145
149
|
Dir.chdir(repo_contents_path) do
|
146
|
-
ref_branch = find_container_branch(dependency_source_details[:ref])
|
150
|
+
ref_branch = find_container_branch(git_commit_checker.dependency_source_details[:ref])
|
147
151
|
|
148
152
|
git_commit_checker.head_commit_for_local_branch(ref_branch)
|
149
153
|
end
|
@@ -167,31 +171,31 @@ module Dependabot
|
|
167
171
|
select { |tag| tag.fetch(:version) > current_version }
|
168
172
|
end
|
169
173
|
|
170
|
-
def
|
174
|
+
def updated_ref
|
171
175
|
# TODO: Support Docker sources
|
172
|
-
return
|
176
|
+
return unless git_dependency?
|
173
177
|
|
174
178
|
if vulnerable? &&
|
175
179
|
(new_tag = lowest_security_fix_version_tag)
|
176
|
-
return
|
180
|
+
return new_tag.fetch(:tag)
|
177
181
|
end
|
178
182
|
|
179
|
-
#
|
183
|
+
# Return the git tag if updating a pinned version
|
180
184
|
if git_commit_checker.pinned_ref_looks_like_version? &&
|
181
185
|
(new_tag = latest_version_tag) &&
|
182
186
|
new_tag.fetch(:commit_sha) != current_commit
|
183
|
-
return
|
187
|
+
return new_tag.fetch(:tag)
|
184
188
|
end
|
185
189
|
|
186
|
-
#
|
190
|
+
# Return the pinned git commit if one is available
|
187
191
|
if git_commit_checker.pinned_ref_looks_like_commit_sha? &&
|
188
192
|
(new_commit_sha = latest_commit_sha) &&
|
189
193
|
new_commit_sha != current_commit
|
190
|
-
return
|
194
|
+
return new_commit_sha
|
191
195
|
end
|
192
196
|
|
193
|
-
# Otherwise
|
194
|
-
|
197
|
+
# Otherwise we can't update the ref
|
198
|
+
nil
|
195
199
|
end
|
196
200
|
|
197
201
|
def latest_commit_sha
|
@@ -205,22 +209,6 @@ module Dependabot
|
|
205
209
|
end
|
206
210
|
end
|
207
211
|
|
208
|
-
def dependency_source_details
|
209
|
-
sources =
|
210
|
-
dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
|
211
|
-
|
212
|
-
return sources.first if sources.count <= 1
|
213
|
-
|
214
|
-
# If there are multiple source types, or multiple source URLs, then it's
|
215
|
-
# unclear how we should proceed
|
216
|
-
raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s.fetch(:type), s[:url]] }.uniq.count > 1
|
217
|
-
|
218
|
-
# Otherwise it's reasonable to take the first source and use that. This
|
219
|
-
# will happen if we have multiple git sources with difference references
|
220
|
-
# specified. In that case it's fine to update them all.
|
221
|
-
sources.first
|
222
|
-
end
|
223
|
-
|
224
212
|
def current_commit
|
225
213
|
git_commit_checker.head_commit_for_current_branch
|
226
214
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-github_actions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.218.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.218.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.218.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -226,8 +226,8 @@ homepage: https://github.com/dependabot/dependabot-core
|
|
226
226
|
licenses:
|
227
227
|
- Nonstandard
|
228
228
|
metadata:
|
229
|
-
|
230
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/
|
229
|
+
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
230
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.218.0
|
231
231
|
post_install_message:
|
232
232
|
rdoc_options: []
|
233
233
|
require_paths:
|