dependabot-github_actions 0.382.0 → 0.383.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ef63b9b1d1fee089d9c18503e26ff40fa37182bc5df7d1a519d93e3a113a6191
|
|
4
|
+
data.tar.gz: 7be6b96adaf0975d097e5c36d6cd1f22d4a6c9108d239669225159c99a3c3e67
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7ddf2f146e672a2771bccd5b4c60584a827694aed4c3ab173bb5a1246c2a6a71376440838274672d89704267d9125091df1af629d0cff2c2656fbb04622c8d57
|
|
7
|
+
data.tar.gz: 3a52e9c3ea4172bff66eb7eec0184eec44e37f610fe196be7a32a6860ae9ad5b3f6e1b159828ab7f9e535309a62b034e9e67dadf5ba6a15a7dc8660228c7989f
|
|
@@ -3,7 +3,9 @@
|
|
|
3
3
|
|
|
4
4
|
require "sorbet-runtime"
|
|
5
5
|
|
|
6
|
+
require "dependabot/clients/github_with_retries"
|
|
6
7
|
require "dependabot/errors"
|
|
8
|
+
require "dependabot/git_cooldown_date_resolver"
|
|
7
9
|
require "dependabot/github_actions/file_parser"
|
|
8
10
|
require "dependabot/github_actions/package/package_details_fetcher"
|
|
9
11
|
require "dependabot/github_actions/requirement"
|
|
@@ -19,6 +21,7 @@ module Dependabot
|
|
|
19
21
|
class UpdateChecker
|
|
20
22
|
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
21
23
|
extend T::Sig
|
|
24
|
+
include Dependabot::GitCooldownDateResolver
|
|
22
25
|
|
|
23
26
|
sig do
|
|
24
27
|
params(
|
|
@@ -126,6 +129,16 @@ module Dependabot
|
|
|
126
129
|
)
|
|
127
130
|
end
|
|
128
131
|
|
|
132
|
+
sig { override.returns(T.nilable(String)) }
|
|
133
|
+
def cooldown_source_url
|
|
134
|
+
@git_helper.git_commit_checker.dependency_source_details&.fetch(:url)
|
|
135
|
+
end
|
|
136
|
+
|
|
137
|
+
sig { override.returns(T::Array[Dependabot::Credential]) }
|
|
138
|
+
def cooldown_credentials
|
|
139
|
+
@credentials
|
|
140
|
+
end
|
|
141
|
+
|
|
129
142
|
private
|
|
130
143
|
|
|
131
144
|
sig { returns(T.nilable(Dependabot::GithubActions::Package::PackageDetailsFetcher)) }
|
|
@@ -235,36 +248,70 @@ module Dependabot
|
|
|
235
248
|
[]
|
|
236
249
|
end
|
|
237
250
|
|
|
251
|
+
# Returns the release date for the latest version tag.
|
|
252
|
+
# Priority: GitHub Release published_at > tag creation date > commit date.
|
|
253
|
+
# This ensures re-tagged or republished releases are evaluated based on
|
|
254
|
+
# when they were actually made available.
|
|
238
255
|
sig { returns(T.nilable(String)) }
|
|
239
256
|
def commit_metadata_details
|
|
240
257
|
@commit_metadata_details ||= T.let(
|
|
241
|
-
|
|
242
|
-
url = @git_helper.git_commit_checker.dependency_source_details&.fetch(:url)
|
|
243
|
-
source = T.must(Source.from_url(url))
|
|
244
|
-
|
|
245
|
-
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
|
246
|
-
repo_contents_path = File.join(temp_dir, File.basename(source.repo))
|
|
247
|
-
|
|
248
|
-
SharedHelpers.run_shell_command("git clone --bare --no-recurse-submodules #{url} #{repo_contents_path}")
|
|
249
|
-
Dir.chdir(repo_contents_path) do
|
|
250
|
-
date = SharedHelpers.run_shell_command(
|
|
251
|
-
"git show --no-patch --format=\"%cd\" " \
|
|
252
|
-
"--date=iso #{commit_ref}"
|
|
253
|
-
)
|
|
254
|
-
Dependabot.logger.info("Found release date : #{Time.parse(date)}")
|
|
255
|
-
return date
|
|
256
|
-
end
|
|
257
|
-
end
|
|
258
|
-
rescue StandardError => e
|
|
259
|
-
msg = "Error (github actions) while checking release date for #{dependency.name}: #{e.message}"
|
|
260
|
-
Dependabot.logger.warn(msg)
|
|
261
|
-
|
|
262
|
-
nil
|
|
263
|
-
end,
|
|
258
|
+
resolve_commit_metadata_details,
|
|
264
259
|
T.nilable(String)
|
|
265
260
|
)
|
|
266
261
|
end
|
|
267
262
|
|
|
263
|
+
sig { returns(T.nilable(String)) }
|
|
264
|
+
def resolve_commit_metadata_details
|
|
265
|
+
# First, try GitHub Release published_at via Octokit
|
|
266
|
+
tag_name = latest_version_tag&.fetch(:tag, nil)
|
|
267
|
+
normalized_tag = tag_name ? normalize_tag_name(tag_name) : nil
|
|
268
|
+
if normalized_tag
|
|
269
|
+
release_date = github_release_published_at(normalized_tag)
|
|
270
|
+
if release_date
|
|
271
|
+
Dependabot.logger.info("Found release date from GitHub Release: #{release_date}")
|
|
272
|
+
return release_date.iso8601
|
|
273
|
+
end
|
|
274
|
+
end
|
|
275
|
+
|
|
276
|
+
# Fallback to git-based date detection
|
|
277
|
+
fetch_date_from_git(normalized_tag)
|
|
278
|
+
rescue StandardError => e
|
|
279
|
+
msg = "Error (github actions) while checking release date for #{dependency.name}: #{e.message}"
|
|
280
|
+
Dependabot.logger.warn(msg)
|
|
281
|
+
nil
|
|
282
|
+
end
|
|
283
|
+
|
|
284
|
+
sig { params(tag_name: T.nilable(String)).returns(T.nilable(String)) }
|
|
285
|
+
def fetch_date_from_git(tag_name)
|
|
286
|
+
url = cooldown_source_url
|
|
287
|
+
source = T.must(Source.from_url(url))
|
|
288
|
+
|
|
289
|
+
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
|
290
|
+
repo_contents_path = File.join(temp_dir, File.basename(source.repo))
|
|
291
|
+
|
|
292
|
+
SharedHelpers.run_shell_command("git clone --bare --no-recurse-submodules #{url} #{repo_contents_path}")
|
|
293
|
+
Dir.chdir(repo_contents_path) do
|
|
294
|
+
date = if tag_name
|
|
295
|
+
tag_date = SharedHelpers.run_shell_command(
|
|
296
|
+
"git for-each-ref --format=\"%(creatordate:iso)\" " \
|
|
297
|
+
"\"refs/tags/#{tag_name}\"",
|
|
298
|
+
fingerprint: "git for-each-ref --format=\"%(creatordate:iso)\" \"refs/tags/<tag_name>\""
|
|
299
|
+
).strip
|
|
300
|
+
tag_date.empty? ? nil : tag_date
|
|
301
|
+
end
|
|
302
|
+
|
|
303
|
+
date ||= SharedHelpers.run_shell_command(
|
|
304
|
+
"git show --no-patch --format=\"%cd\" " \
|
|
305
|
+
"--date=iso #{commit_ref}",
|
|
306
|
+
fingerprint: "git show --no-patch --format=\"%cd\" --date=iso <commit_ref>"
|
|
307
|
+
).strip
|
|
308
|
+
|
|
309
|
+
Dependabot.logger.info("Found release date : #{Time.parse(date)}")
|
|
310
|
+
date
|
|
311
|
+
end
|
|
312
|
+
end
|
|
313
|
+
end
|
|
314
|
+
|
|
268
315
|
sig { params(release_date: T.nilable(String)).returns(T::Boolean) }
|
|
269
316
|
def check_if_version_in_cooldown_period?(release_date)
|
|
270
317
|
return false unless release_date&.length&.positive?
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-github_actions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.383.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.383.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.383.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -259,7 +259,7 @@ licenses:
|
|
|
259
259
|
- MIT
|
|
260
260
|
metadata:
|
|
261
261
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
262
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
262
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
|
|
263
263
|
rdoc_options: []
|
|
264
264
|
require_paths:
|
|
265
265
|
- lib
|