dependabot-helm 0.310.0 → 0.312.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46d34de989ab4d8315a05e165d2aa34693f40ad3fd03c21d40842e375e7a9d89
-  data.tar.gz: a134496cc57eb7f7ddf42a81529d94a89de236ea94738de017d4fc73039d2b88
+  metadata.gz: 034761fd0f260a06f555e91f7e19c96531f823530884a262390ad2a82d5f73bd
+  data.tar.gz: ccf1ecda062f31553fb91e27fba1750cdd68b028fb5bcf78f259c84e22316fa5
 SHA512:
-  metadata.gz: a5c039462fbc357f23e3bcabb596b34e694d9d3f8ab75e6aceab1c734f46bbac6fd7d39d76ec9da37e21925bcacc0bf149a2f1f569579232b8d06e185ff5a778
-  data.tar.gz: 898d936f36e271c6719847f8bfca1274cc9b30d1509792776798ed88a8d87b898b8ea4c0ca96a1bff774be1a2d063d9e46bb8a32dcc19b25b8bf9fcb85449a99
+  metadata.gz: bed08c60f4edace21c4365a03592573e539a626ffe249c5b9d9f2964f81ae1c63814d788d02873bbe647a5d7e2b65dac13ac249137798ce59e3225fe2c95b39a
+  data.tar.gz: 18975d419fac875e3e5e634241471b53c275298c9ee2dd373a47b86dc24f8a1387e284c356e52a301b181930f931dc06781e5f06eba21f6c5a9d3adbc726091b

data/lib/dependabot/helm/helpers.rb

@@ -66,6 +66,31 @@ module Dependabot
         )
         raise
       end
+
+      sig { params(username: String, password: String, repository_url: String).returns(String) }
+      def self.oci_registry_login(username, password, repository_url)
+        Dependabot.logger.info("Logging into OCI registry \"#{repository_url}\"")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "oras login --username #{username} --password #{password} #{repository_url}",
+          fingerprint: "oras login --username <username> --password <password> <repository_url>"
+        )
+      rescue StandardError => e
+        Dependabot.logger.error(
+          "Failed to authenticate for #{repository_url}: #{e.message}"
+        )
+        raise
+      end
+
+      sig { params(name: String).returns(String) }
+      def self.fetch_oci_tags(name)
+        Dependabot.logger.info("Searching OCI tags for: #{name}")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "oras repo tags #{name}",
+          fingerprint: "oras repo tags <name>"
+        ).strip
+      end
     end
   end
 end

data/lib/dependabot/helm/package_manager.rb

@@ -3,7 +3,7 @@
 
 require "sorbet-runtime"
 require "dependabot/ecosystem"
-require "dependabot/docker/version"
+require "dependabot/helm/version"
 
 module Dependabot
   module Helm

data/lib/dependabot/helm/update_checker.rb

@@ -5,7 +5,7 @@ require "sorbet-runtime"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
 require "dependabot/errors"
-require "dependabot/docker/version"
+require "dependabot/helm/version"
 require "dependabot/docker/requirement"
 require "dependabot/shared/utils/credentials_finder"
 require "dependabot/shared_helpers"
@@ -191,6 +191,19 @@ module Dependabot
         raise PrivateSourceAuthenticationFailure, repo_url
       end
 
+      sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
+      def authenticate_oci_registry_source(repo_url)
+        return unless repo_url
+
+        repo_creds = Shared::Utils::CredentialsFinder.new(@credentials, private_repository_type: "helm_registry")
+                                                     .credentials_for_registry(repo_url)
+        return unless repo_creds
+
+        Helpers.oci_registry_login(T.must(repo_creds["username"]), T.must(repo_creds["password"]), repo_url)
+      rescue StandardError
+        raise PrivateSourceAuthenticationFailure, repo_url
+      end
+
       sig { returns(T.nilable(Gem::Version)) }
       def fetch_latest_chart_version
         chart_name = dependency.name
@@ -201,9 +214,35 @@ module Dependabot
         releases = fetch_releases_with_helm_cli(chart_name, repo_name, repo_url)
         return releases if releases
 
+        tag = fetch_latest_oci_tag(chart_name, repo_url) if repo_url&.start_with?("oci://")
+        return tag if tag
+
         fetch_releases_from_index(chart_name, repo_url)
       end
 
+      sig { params(chart_name: String, repo_url: String).returns(T.nilable(Gem::Version)) }
+      def fetch_latest_oci_tag(chart_name, repo_url)
+        tags = fetch_oci_tags(chart_name, repo_url)
+        return nil unless tags && !tags.empty?
+
+        valid_tags = filter_valid_versions(tags)
+        return nil if valid_tags.empty?
+
+        highest_tag = valid_tags.map { |v| version_class.new(v) }.max
+        Dependabot.logger.info("Highest valid OCI tag for #{chart_name} is #{highest_tag}")
+        highest_tag
+      end
+
+      sig { params(chart_name: String, repo_url: String).returns(T.nilable(T::Array[String])) }
+      def fetch_oci_tags(chart_name, repo_url)
+        Dependabot.logger.info("Fetching OCI tags for #{repo_url}")
+        oci_registry = repo_url.gsub("oci://", "")
+        authenticate_oci_registry_source(repo_url)
+
+        release_tags = Helpers.fetch_oci_tags("#{oci_registry}/#{chart_name}").split("\n")
+        release_tags.map { |tag| tag.tr("_", "+") }
+      end
+
       sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
       def extract_repo_name(repo_url)
         return nil unless repo_url

data/lib/dependabot/helm/version.rb

@@ -0,0 +1,100 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/version"
+require "dependabot/utils"
+require "dependabot/docker/tag"
+require "sorbet-runtime"
+
+module Dependabot
+  module Helm
+    # In the special case of Java, the version string may also contain
+    # optional "update number" and "identifier" components.
+    # See https://www.oracle.com/java/technologies/javase/versioning-naming.html
+    # for a description of Java versions.
+    #
+    class Version < Dependabot::Version
+      extend T::Sig
+      # The regex has limits for the 0,255 and 1,255 repetitions to avoid infinite limits which makes codeql angry.
+      # A docker image cannot be longer than 255 characters anyways.
+      HELM_VERSION_REGEX = /^(?<prefix>[a-z._\-]{0,255})[_\-v]?(?<version>[^+]{1,255})(\+(?<digest>.+))?$/
+
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        parsed_version = version.to_s.match(HELM_VERSION_REGEX)
+        release_part, update_part = T.must(T.must(parsed_version)[:version]).split("_", 2)
+
+        # The numeric_version is needed here to validate the version string (ex: 20.9.0-alpine3.18)
+        # when the call is made via Dependabot Api to convert the image version to semver.
+        release_part = Dependabot::Docker::Tag.new(
+          T.must(release_part).chomp(".").chomp("-").chomp("_")
+        ).numeric_version
+
+        @digest = T.let(T.must(parsed_version)[:digest], T.nilable(String))
+        @release_part = T.let(Dependabot::Version.new(T.must(release_part).tr("-", ".")), Dependabot::Version)
+        @update_part = T.let(
+          Dependabot::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0),
+          Dependabot::Version
+        )
+
+        super(@release_part)
+      end
+
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
+      def self.correct?(version)
+        return true if version.is_a?(Gem::Version)
+
+        # We can't call new here because Gem::Version calls self.correct? in its initialize method
+        # causing an infinite loop, so instead we check if the release_part of the version is correct
+        parsed_version = version.to_s.match(HELM_VERSION_REGEX)
+        return false if parsed_version.nil?
+
+        release_part, = T.must(parsed_version[:version]).split("_", 2)
+        release_part = Dependabot::Docker::Tag.new(
+          T.must(release_part).chomp(".").chomp("-").chomp("_")
+        ).numeric_version
+        return false unless release_part
+
+        super(release_part.to_s)
+      rescue ArgumentError
+        # if we can't instantiate a version, it can't be correct
+        false
+      end
+
+      sig { override.returns(String) }
+      def to_semver
+        @release_part.to_semver
+      end
+
+      sig { returns(T::Array[String]) }
+      def segments
+        @release_part.segments
+      end
+
+      sig { returns(T.nilable(String)) }
+      def to_s
+        return nil if @release_part.nil?
+
+        version_string = @release_part.to_s
+        version_string += "+#{@digest}" unless @digest.nil?
+        version_string
+      end
+
+      sig { returns(Dependabot::Version) }
+      attr_reader :release_part
+
+      sig { params(other: Dependabot::Helm::Version).returns(T.nilable(Integer)) }
+      def <=>(other)
+        sort_criteria <=> other.sort_criteria
+      end
+
+      sig { returns(T::Array[Dependabot::Version]) }
+      def sort_criteria
+        [@release_part, @update_part]
+      end
+    end
+  end
+end
+
+Dependabot::Utils
+  .register_version_class("helm", Dependabot::Helm::Version)

data/lib/dependabot/helm.rb

@@ -11,10 +11,12 @@ require "dependabot/helm/file_parser"
 require "dependabot/helm/file_updater"
 require "dependabot/helm/update_checker"
 
-Dependabot::Utils.register_version_class("helm", Dependabot::Docker::Version)
 Dependabot::Utils.register_requirement_class("helm", Dependabot::Docker::Requirement)
 Dependabot::MetadataFinders.register("helm", Dependabot::Docker::MetadataFinder)
 
+require "dependabot/helm/version"
+Dependabot::Utils.register_version_class("helm", Dependabot::Helm::Version)
+
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler
   .register_label_details("helm", name: "helm", colour: "E5F2FC")

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-helm
 version: !ruby/object:Gem::Version
-  version: 0.310.0
+  version: 0.312.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-04-24 00:00:00.000000000 Z
+date: 2025-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -15,42 +15,42 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.312.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.312.0
 - !ruby/object:Gem::Dependency
   name: dependabot-docker
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.312.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.310.0
+        version: 0.312.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -71,14 +71,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13'
+        version: '13.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13'
+        version: '13.2'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -113,98 +113,98 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.67.0
+        version: '1.67'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.67.0
+        version: '1.67'
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.1
+        version: '1.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.22.1
+        version: '1.22'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.29.1
+        version: '2.29'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.29.1
+        version: '2.29'
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.7
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.7
+        version: '0.8'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: '0.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: '0.22'
 - !ruby/object:Gem::Dependency
   name: turbo_tests
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -237,16 +237,16 @@ dependencies:
   name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
 description: Dependabot-Helm provides support for bumping Helm image tags via Dependabot.
   If you want support for multiple package managers, you probably want the meta-gem
   dependabot-omnibus.
@@ -265,12 +265,13 @@ files:
 - lib/dependabot/helm/helpers.rb
 - lib/dependabot/helm/package_manager.rb
 - lib/dependabot/helm/update_checker.rb
+- lib/dependabot/helm/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.310.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.312.0
 rdoc_options: []
 require_paths:
 - lib