RubyGems - dependabot-github_actions - Versions diffs - 0.217.0 → 0.218.0 - Mend

dependabot-github_actions 0.217.0 → 0.218.0

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/github_actions/file_parser.rb +14 -18
data/lib/dependabot/github_actions/update_checker.rb +27 -39
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 36d47c58a74536e6423d1ceed66e879b3a19a349c14b680dde9b789df892deb6
-  data.tar.gz: deddf60f40c8883688e25616c1b05e0a628e27834ffbaa1b35e3b2d0214650aa
+  metadata.gz: e572366ec31aad3a9a81d885366d8f8a8da20b121645132818136daf35577a92
+  data.tar.gz: 69f81b7c6572274ec99770ffc42a1491ab5cd3dfa927a6ae6a6b815a9454f4e0
 SHA512:
-  metadata.gz: 71d251a430b31da476e7117bc3d2c2cc3d4d948d9a9ff307aba00f1cb83b2397b013947d59c471ee9f7285f0c07bc6fc3974df62a179b706be3c26f8801f3d99
-  data.tar.gz: f1207b632a941805f9368459d1f2d0b558ffcafea5f124bad42450f89e9c9f110d24000f92be3813630c7ce1b2d41205872ab4fad5e83c4df0a81653a97cc204
+  metadata.gz: c9d3c98345bf80e8fd28bf3754df8ce475c25893c7e1c4195ba850806acbb745468f322cff6117fbd947c0b8379b1d162e79df9458e5f35d13cb2bdb1a592bc3
+  data.tar.gz: cd344105c6690f8822b4c5299f3e8df1362d843d78a8b1da743b4e1cc6477d6c313bdeb9af60fb85c829b332c779f7c131ccf226304e44ec4159db4e2872341a

data/lib/dependabot/github_actions/file_parser.rb CHANGED Viewed

@@ -30,7 +30,6 @@ module Dependabot
           dependency_set += workfile_file_dependencies(file)
         end
-        resolve_git_tags(dependency_set)
         dependency_set.dependencies
       end
@@ -52,6 +51,20 @@ module Dependabot
           git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
           next unless git_checker.pinned?
+          # If dep does not have an assigned (semver) version, look for a commit that references a semver tag
+          unless dep.version
+            resolved = git_checker.local_tag_for_pinned_sha
+            if resolved && version_class.correct?(resolved)
+              dep = Dependency.new(
+                name: dep.name,
+                version: version_class.new(resolved).to_s,
+                requirements: dep.requirements,
+                package_manager: dep.package_manager
+              )
+            end
+          end
           dependency_set << dep
         end
@@ -102,23 +115,6 @@ module Dependabot
         end
       end
-      def resolve_git_tags(dependency_set)
-        # Find deps that do not have an assigned (semver) version, but pin a commit that references a semver tag
-        resolved = dependency_set.dependencies.map do |dep|
-          next unless dep.version.nil?
-          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
-          resolved = git_checker.local_tag_for_pinned_sha
-          next if resolved.nil? || !version_class.correct?(resolved)
-          # Build a Dependency with the resolved version, and rely on DependencySet's merge
-          Dependency.new(name: dep.name, version: version_class.new(resolved).to_s,
-                         package_manager: dep.package_manager, requirements: [])
-        end
-        resolved.compact.each { |dep| dependency_set << dep }
-      end
       def deep_fetch_uses_from_hash(json_object, found_uses)
         if json_object.key?("uses")
           found_uses << json_object["uses"]

data/lib/dependabot/github_actions/update_checker.rb CHANGED Viewed

@@ -34,19 +34,23 @@ module Dependabot
       end
       def updated_requirements
-        previous = dependency_source_details
-        updated = updated_source
-        # Maintain a short git hash only if it matches the latest
-        if previous[:type] == "git" &&
-           previous[:url] == updated[:url] &&
-           updated[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
-           previous[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
-           updated[:ref]&.start_with?(previous[:ref])
-          return dependency.requirements
-        end
+        updated = updated_ref
+        dependency.requirements.map do |req|
+          next req unless updated
+          # Maintain a short git hash only if it matches the latest
+          if req[:type] == "git" &&
+             updated.match?(/^[0-9a-f]{6,40}$/) &&
+             req[:ref]&.match?(/^[0-9a-f]{6,40}$/) &&
+             updated.start_with?(req[:ref])
+            next req
+          end
-        dependency.requirements.map { |req| req.merge(source: updated) }
+          source = req[:source]
+          new_source = source.merge(ref: updated)
+          req.merge(source: new_source)
+        end
       end
       private
@@ -134,7 +138,7 @@ module Dependabot
           if head_commit_for_ref_sha
             head_commit_for_ref_sha
           else
-            url = dependency_source_details[:url]
+            url = git_commit_checker.dependency_source_details[:url]
             source = Source.from_url(url)
             SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
@@ -143,7 +147,7 @@ module Dependabot
               SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
               Dir.chdir(repo_contents_path) do
-                ref_branch = find_container_branch(dependency_source_details[:ref])
+                ref_branch = find_container_branch(git_commit_checker.dependency_source_details[:ref])
                 git_commit_checker.head_commit_for_local_branch(ref_branch)
               end
@@ -167,31 +171,31 @@ module Dependabot
           select { |tag| tag.fetch(:version) > current_version }
       end
-      def updated_source
+      def updated_ref
         # TODO: Support Docker sources
-        return dependency_source_details unless git_dependency?
+        return unless git_dependency?
         if vulnerable? &&
            (new_tag = lowest_security_fix_version_tag)
-          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          return new_tag.fetch(:tag)
         end
-        # Update the git tag if updating a pinned version
+        # Return the git tag if updating a pinned version
         if git_commit_checker.pinned_ref_looks_like_version? &&
            (new_tag = latest_version_tag) &&
            new_tag.fetch(:commit_sha) != current_commit
-          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          return new_tag.fetch(:tag)
         end
-        # Update the pinned git commit if one is available
+        # Return the pinned git commit if one is available
         if git_commit_checker.pinned_ref_looks_like_commit_sha? &&
            (new_commit_sha = latest_commit_sha) &&
            new_commit_sha != current_commit
-          return dependency_source_details.merge(ref: new_commit_sha)
+          return new_commit_sha
         end
-        # Otherwise return the original source
-        dependency_source_details
+        # Otherwise we can't update the ref
+        nil
       end
       def latest_commit_sha
@@ -205,22 +209,6 @@ module Dependabot
         end
       end
-      def dependency_source_details
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-        return sources.first if sources.count <= 1
-        # If there are multiple source types, or multiple source URLs, then it's
-        # unclear how we should proceed
-        raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s.fetch(:type), s[:url]] }.uniq.count > 1
-        # Otherwise it's reasonable to take the first source and use that. This
-        # will happen if we have multiple git sources with difference references
-        # specified. In that case it's fine to update them all.
-        sources.first
-      end
       def current_commit
         git_commit_checker.head_commit_for_current_branch
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-github_actions
 version: !ruby/object:Gem::Version
-  version: 0.217.0
+  version: 0.218.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-24 00:00:00.000000000 Z
+date: 2023-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -226,8 +226,8 @@ homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
 metadata:
-  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.218.0
 post_install_message:
 rdoc_options: []
 require_paths: