dependabot-helm 0.302.0 → 0.303.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6aff5fba7351aca9138cda923c9f15b308c4cc05185fba589fda95eb09560ae1
-  data.tar.gz: ae1d94b09275d5cfd7764b6465c39d9b93b446fdf80ee5822dea1032522eec2e
+  metadata.gz: 53be03f1fcf2d32d85e040547378b00c860458ae23f782cba4fd437de7defa44
+  data.tar.gz: 3d55823e45e4fa2e31b80603e0613f1929b0f2512cd34bc39a49a88c8a8aa647
 SHA512:
-  metadata.gz: 69f08273fb1022d70271b457b7212115881f6320fd1fc2cc05f5bfb34c15c19a54581656a133ed1c44570a2af4f5045a66b87abf5ce5118ddde8dcf316e4a0f1
-  data.tar.gz: e0ccd801ddc647007f2868f5d6d834320ec7e01da5d7f6bddca40ef766628fe589865982d530cb31ede447a663370de40213b57b4c5c64a99efbd9ed4e8e4ec4
+  metadata.gz: fd62305c3145cf79ee84cc653d50a8ad1cf0f77855c80c4dce6932e92c20835447d6b99c63453bc3fb1fa23ecdad0960ab363ac414cba6a4e2a159e5fc0c8888
+  data.tar.gz: 57c31fc74e516b7eeade03b18959bc902f546ccd39b22263a6dc0bf7b5c76e63a0d414be88bf41364d850f07ef5f76bea01a475561cd2dcd16584f4a2514edd8

data/lib/dependabot/helm/file_fetcher.rb

@@ -7,11 +7,15 @@ module Dependabot
   module Helm
     class FileFetcher < Dependabot::Shared::SharedFileFetcher
       FILENAME_REGEX = /.*\.ya?ml$/i
+      CHART_LOCK_REGEXP = /Chart\.lock/i
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
+        return [] unless allow_beta_ecosystems?
+
         fetched_files = []
-        fetched_files += correctly_encoded_helm_files if allow_beta_ecosystems?
+        fetched_files += correctly_encoded_helm_files
+        fetched_files += chart_locks
 
         return fetched_files if fetched_files.any?
 
@@ -31,6 +35,14 @@ module Dependabot
           .map { |f| fetch_file_from_host(f.name) }, T.nilable(T::Array[DependencyFile]))
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def chart_locks
+        @chart_locks ||=
+          T.let(repo_contents(raise_errors: false)
+          .select { |f| f.type == "file" && f.name.match?(CHART_LOCK_REGEXP) }
+          .map { |f| fetch_file_from_host(f.name) }, T.nilable(T::Array[DependencyFile]))
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def correctly_encoded_helm_files
         helm_files.select { |f| T.must(f.content).valid_encoding? }

data/lib/dependabot/helm/file_parser.rb

@@ -11,7 +11,9 @@ module Dependabot
       extend T::Sig
 
       CHART_YAML = /.*chart\.ya?ml$/i
+      CHART_LOCK = /.*chart\.lock$/i
       VALUES_YAML = /.*values\.ya?ml$/i
+      DEFAULT_REPOSITORY = "https://charts.helm.sh/stable"
 
       sig { returns(Ecosystem) }
       def ecosystem
@@ -41,26 +43,38 @@ module Dependabot
       end
       def parse_dependencies(yaml, chart_file, dependency_set)
         yaml["dependencies"].each do |dep|
-          next unless dep.is_a?(Hash) && dep["name"] && dep["version"] && dep["repository"]
+          next unless dep.is_a?(Hash) && dep["name"] && dep["version"]
 
           parsed_line = {
             "image" => dep["name"],
             "tag" => dep["version"],
-            "registry" => dep["repository"],
+            "registry" => repository_from_registry(dep["repository"]),
             "digest" => nil
           }
 
           dependency = build_dependency(chart_file, parsed_line, dep["version"])
-          dependency.requirements.map! do |req|
-            req[:metadata] = {} unless req[:metadata]
-            req[:metadata][:type] = :helm_chart
-            req
-          end
+          add_dependency_type_to_dependency(dependency, :helm_chart)
 
           dependency_set << dependency
         end
       end
 
+      sig { params(dependency: Dependabot::Dependency, type: Symbol).void }
+      def add_dependency_type_to_dependency(dependency, type)
+        dependency.requirements.map! do |req|
+          req[:metadata] = {} unless req[:metadata]
+          req[:metadata][:type] = type
+          req
+        end
+      end
+
+      sig { params(repository: T.nilable(String)).returns(String) }
+      def repository_from_registry(repository)
+        return DEFAULT_REPOSITORY if repository.nil?
+
+        repository
+      end
+
       sig { params(dependency_set: DependencySet).void }
       def parse_chart_yaml_files(dependency_set)
         helm_chart_files.each do |chart_file|
@@ -85,8 +99,7 @@ module Dependabot
             next unless version
 
             dependency = build_dependency(values_file, parsed_line, version)
-            T.must(dependency.requirements.first)[:source] =
-              T.must(dependency.requirements.first)[:source].merge(path: image_details[:path])
+            add_dependency_type_to_dependency(dependency, :docker_image)
 
             dependency_set << dependency
           end

data/lib/dependabot/helm/file_updater/chart_updater.rb

@@ -0,0 +1,76 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/shared_helpers"
+require "dependabot/dependency"
+require "dependabot/shared/shared_file_updater"
+require "fileutils"
+require "tmpdir"
+
+module Dependabot
+  module Helm
+    class FileUpdater < Dependabot::Shared::SharedFileUpdater
+      class ChartUpdater
+        extend T::Sig
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency
+          ).void
+        end
+        def initialize(dependency:)
+          @dependency = dependency
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def updated_chart_yaml_content(file)
+          content = file.content
+          yaml_obj = YAML.safe_load(T.must(content))
+
+          content = update_chart_dependencies(T.must(content), yaml_obj, file)
+
+          raise "Expected content to change!" if content == file.content
+
+          content
+        end
+
+        private
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig do
+          params(content: String, yaml_obj: T::Hash[T.untyped, T.untyped],
+                 file: Dependabot::DependencyFile).returns(String)
+        end
+        def update_chart_dependencies(content, yaml_obj, file)
+          if update_chart_dependency?(file) && yaml_obj["dependencies"]
+            yaml_obj["dependencies"].each do |dep|
+              next unless dep["name"] == dependency.name
+
+              old_version = dep["version"].to_s
+              new_version = dependency.version
+
+              pattern = /
+              (\s+-\s+name:\s+#{Regexp.escape(dependency.name)}.*?\n\s+)
+              (version:\s+)
+              ["']?#{Regexp.escape(old_version)}["']?
+            /mx
+              content = content.gsub(pattern) do |match|
+                match.gsub(/version: ["']?#{Regexp.escape(old_version)}["']?/, "version: #{new_version}")
+              end
+            end
+          end
+          content
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+        def update_chart_dependency?(file)
+          reqs = dependency.requirements.select { |r| r[:file] == file.name }
+          reqs.any? { |r| r[:metadata]&.dig(:type) == :helm_chart }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/helm/file_updater/image_updater.rb

@@ -0,0 +1,116 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/shared/shared_file_updater"
+require "dependabot/dependency"
+require "dependabot/dependency_file"
+require "yaml"
+
+module Dependabot
+  module Helm
+    class FileUpdater < Dependabot::Shared::SharedFileUpdater
+      class ImageUpdater
+        extend T::Sig
+        extend T::Helpers
+
+        sig { params(dependency: Dependency, dependency_files: T::Array[Dependabot::DependencyFile]).void }
+        def initialize(dependency:, dependency_files:)
+          @dependency_files = dependency_files
+          @dependency = dependency
+        end
+
+        sig { params(file_name: String).returns(T.nilable(String)) }
+        def updated_values_yaml_content(file_name)
+          value_file = dependency_files.find { |f| f.name.match?(file_name) }
+          raise "Expected a values.yaml file to exist!" if value_file.nil?
+
+          content = value_file.content
+          yaml_stream = YAML.parse_stream(T.must(content))
+
+          update_image_tags_recursive(yaml_stream, T.must(content))
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { params(yaml_stream: Psych::Nodes::Stream, content: String).returns(String) }
+        def update_image_tags_recursive(yaml_stream, content)
+          updated_content = content.dup.split("\n")
+
+          yaml_stream.children.each do |document|
+            document.children.each do |root_node|
+              updated_content = find_and_update_images(root_node, updated_content)
+            end
+          end
+
+          updated_content = updated_content.join("\n")
+
+          raise "Expected content to change!" if content == updated_content
+
+          updated_content
+        end
+
+        sig { params(node: Psych::Nodes::Node, content: T::Array[String]).returns(T::Array[String]) }
+        def find_and_update_images(node, content)
+          if node.is_a?(Psych::Nodes::Mapping)
+            content = process_mapping_node(node, content)
+          elsif node.is_a?(Psych::Nodes::Sequence)
+            content = process_sequence_node(node, content)
+          end
+
+          content
+        end
+
+        sig { params(node: Psych::Nodes::Node, content: T::Array[String]).returns(T::Array[String]) }
+        def process_mapping_node(node, content)
+          node.children.each_slice(2) do |key_node, value_node|
+            next unless key_node.is_a?(Psych::Nodes::Scalar)
+
+            key = key_node.value
+            content = process_image_key(key, value_node, content)
+
+            if value_node.is_a?(Psych::Nodes::Mapping) || value_node.is_a?(Psych::Nodes::Sequence)
+              content = find_and_update_images(value_node, content)
+            end
+          end
+          content
+        end
+
+        sig { params(node: Psych::Nodes::Node, content: T::Array[String]).returns(T::Array[String]) }
+        def process_sequence_node(node, content)
+          node.children.reduce(content) do |updated_content, child|
+            find_and_update_images(child, updated_content)
+          end
+        end
+
+        sig { params(key: String, value_node: Psych::Nodes::Node, content: T::Array[String]).returns(T::Array[String]) }
+        def process_image_key(key, value_node, content)
+          return content unless key == "image" && value_node.is_a?(Psych::Nodes::Mapping)
+
+          dependency_name = dependency.name
+          dependency_version = T.must(dependency.version)
+          dependency_requirements = dependency.requirements
+
+          has_dependency = value_node.children.any? { |n| n.value == dependency_name }
+          return content unless has_dependency
+
+          dependency_requirements.each do |req|
+            next unless req[:metadata][:type] == :docker_image
+
+            version_scalar = value_node.children.find { |n| n.value == req[:source][:tag] }
+            next unless version_scalar
+
+            line = version_scalar.start_line
+            content[line] = T.must(content[line]).gsub(req[:source][:tag], dependency_version)
+          end
+
+          content
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/helm/file_updater/lock_file_generator.rb

@@ -0,0 +1,63 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/shared_helpers"
+require "dependabot/dependency"
+require "dependabot/shared/shared_file_updater"
+require "dependabot/helm/helpers"
+require "fileutils"
+require "tmpdir"
+
+module Dependabot
+  module Helm
+    class FileUpdater < Dependabot::Shared::SharedFileUpdater
+      class LockFileGenerator
+        extend T::Sig
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            repo_contents_path: String,
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @repo_contents_path = repo_contents_path
+          @credentials = credentials
+        end
+
+        sig { params(chart_lock: Dependabot::DependencyFile, updated_content: String).returns(String) }
+        def updated_chart_lock(chart_lock, updated_content)
+          SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              File.write("Chart.yaml", updated_content)
+              Helpers.update_lock
+
+              File.read(chart_lock.name)
+            end
+          end
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(String) }
+        attr_reader :repo_contents_path
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(String) }
+        def base_dir
+          T.must(dependency_files.first).directory
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/helm/file_updater.rb

@@ -2,6 +2,9 @@
 # frozen_string_literal: true
 
 require "dependabot/shared/shared_file_updater"
+require "dependabot/helm/file_updater/lock_file_generator"
+require "dependabot/helm/file_updater/image_updater"
+require "dependabot/helm/file_updater/chart_updater"
 require "yaml"
 
 module Dependabot
@@ -11,6 +14,7 @@ module Dependabot
       extend T::Helpers
 
       CHART_YAML_REGEXP = /Chart\.ya?ml/i
+      CHART_LOCK_REGEXP = /Chart\.lock/i
       VALUES_YAML_REGEXP = /values(?>\.[\w-]+)?\.ya?ml/i
       YAML_REGEXP = /(Chart|values(?>\.[\w-]+)?)\.ya?ml/i
       IMAGE_REGEX = /(?:image:|repository:\s*)/i
@@ -47,14 +51,17 @@ module Dependabot
           next unless requirement_changed?(file, T.must(dependency))
 
           if file.name.match?(CHART_YAML_REGEXP)
+            updated_content = chart_updater.updated_chart_yaml_content(file)
             updated_files << updated_file(
               file: file,
-              content: T.must(updated_chart_yaml_content(file))
+              content: T.must(updated_content)
             )
+
+            updated_files.concat(update_chart_locks(T.must(updated_content))) if chart_locks
           elsif file.name.match?(VALUES_YAML_REGEXP)
             updated_files << updated_file(
               file: file,
-              content: T.must(updated_values_yaml_content(file))
+              content: T.must(image_updater.updated_values_yaml_content(file.name))
             )
           end
         end
@@ -67,141 +74,52 @@ module Dependabot
 
       private
 
-      sig do
-        params(content: String, yaml_obj: T::Hash[T.untyped, T.untyped],
-               file: Dependabot::DependencyFile).returns(String)
-      end
-      def update_chart_dependencies(content, yaml_obj, file)
-        if update_chart_dependency?(file)
-          yaml_obj["dependencies"].each do |dep|
-            next unless dep["name"] == T.must(dependency).name
-
-            old_version = dep["version"].to_s
-            new_version = T.must(dependency).version
-
-            pattern = /
-              (\s+-\sname:\s#{Regexp.escape(T.must(dependency).name)}.*?\n\s+version:\s)
-              ["']?#{Regexp.escape(old_version)}["']?
-            /mx
-            content = content.gsub(pattern) do |match|
-              match.gsub(/version: ["']?#{Regexp.escape(old_version)}["']?/, "version: #{new_version}")
-            end
-          end
+      sig { params(updated_content: String).returns(T::Array[Dependabot::DependencyFile]) }
+      def update_chart_locks(updated_content)
+        chart_locks.map do |chart_lock|
+          updated_file(
+            file: chart_lock,
+            content: updated_chart_lock_content(chart_lock, updated_content)
+          )
         end
-        content
-      end
-
-      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
-      def updated_chart_yaml_content(file)
-        content = file.content
-        yaml_obj = YAML.safe_load(T.must(content))
-
-        content = update_chart_dependencies(T.must(content), yaml_obj, file)
-
-        raise "Expected content to change!" if content == file.content
-
-        content
-      end
-
-      sig { params(content: String, path: String, old_tag: String, new_tag: String).returns(String) }
-      def update_tag(content, path, old_tag, new_tag)
-        indent_pattern = get_indent_pattern(content, path)
-        tag_pattern = /#{indent_pattern}tag:\s+["']?#{Regexp.escape(old_tag)}["']?/
-        content.gsub(tag_pattern, "#{indent_pattern}tag: #{new_tag}")
       end
 
-      sig { params(content: String, path: String, old_image: String, new_image: String).returns(String) }
-      def update_image(content, path, old_image, new_image)
-        indent_pattern = get_indent_pattern(content, path)
-        image_pattern = /#{indent_pattern}image:\s+["']?#{Regexp.escape(old_image)}["']?/
-        content.gsub(image_pattern, "#{indent_pattern}image: #{new_image}")
+      sig { returns(LockFileGenerator) }
+      def lockfile_updater
+        @lockfile_updater ||= T.let(LockFileGenerator.new(
+                                      dependencies: dependencies,
+                                      dependency_files: dependency_files,
+                                      repo_contents_path: T.must(repo_contents_path),
+                                      credentials: credentials
+                                    ), T.nilable(Dependabot::Helm::FileUpdater::LockFileGenerator))
       end
 
-      sig { params(content: String, path_parts: T::Array[String]).returns(String) }
-      def update_tag_in_content(content, path_parts)
-        parent_path = T.must(path_parts[0...-1]).join(".")
-        old_tag = T.must(dependency).previous_version
-        new_tag = T.must(dependency).version
-        update_tag(content, parent_path, T.must(old_tag), T.must(new_tag))
+      sig { returns(ImageUpdater) }
+      def image_updater
+        @image_updater ||= T.let(ImageUpdater.new(dependency: T.must(dependency), dependency_files: dependency_files),
+                                 T.nilable(Dependabot::Helm::FileUpdater::ImageUpdater))
       end
 
-      sig { params(content: String, path: String, req: T::Hash[Symbol, T.untyped]).returns(String) }
-      def update_image_in_content(content, path, req)
-        old_image = build_old_image_string(req)
-        new_image = build_new_image_string(req)
-        update_image(content, path, old_image, new_image)
-      end
-
-      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
-      def updated_values_yaml_content(file)
-        content = file.content
-        req = T.must(dependency).requirements.find { |r| r[:file] == file.name }
-
-        if update_container_image?(file) && req&.dig(:source, :path)
-          path = req.dig(:source, :path).to_s
-          path_parts = path.split(".")
-
-          content = if path_parts.last == "tag"
-                      update_tag_in_content(T.must(content), path_parts)
-                    elsif path_parts.last == "image"
-                      update_image_in_content(T.must(content), path, req)
-                    else
-                      content
-                    end
-        end
-
-        raise "Expected content to change!" if content == file.content
-
-        content
-      end
-
-      sig { params(content: String, path: String).returns(String) }
-      def get_indent_pattern(content, path)
-        path_parts = path.split(".")
-        indent = T.let("", T.untyped)
-
-        path_parts.each do |part|
-          pattern = /^(#{indent}\s*)#{part}:/
-          if content.match(pattern)
-            indent = T.must(T.must(content.match(pattern))[1]) + "  " # Add 2 spaces for next level
-          end
-        end
-
-        indent
-      end
-
-      sig { params(requirement: T::Hash[Symbol, T.untyped]).returns(String) }
-      def build_old_image_string(requirement)
-        old_source = requirement.fetch(:source)
-        prefix = old_source[:registry] ? "#{old_source[:registry]}/" : ""
-        name = T.must(dependency).name
-        tag = T.must(dependency).previous_version
-        digest = old_source[:digest] ? "@sha256:#{old_source[:digest]}" : ""
-
-        "#{prefix}#{name}:#{tag}#{digest}"
-      end
-
-      sig { params(requirement: T::Hash[Symbol, T.untyped]).returns(String) }
-      def build_new_image_string(requirement)
-        new_source = requirement.fetch(:source)
-        prefix = new_source[:registry] ? "#{new_source[:registry]}/" : ""
-        name = T.must(dependency).name
-        tag = T.must(dependency).version
-        digest = new_source[:digest] ? "@sha256:#{new_source[:digest]}" : ""
-
-        "#{prefix}#{name}:#{tag}#{digest}"
+      sig { returns(ChartUpdater) }
+      def chart_updater
+        @chart_updater ||= T.let(ChartUpdater.new(dependency: T.must(dependency)),
+                                 T.nilable(Dependabot::Helm::FileUpdater::ChartUpdater))
       end
 
-      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
-      def update_chart_dependency?(file)
-        reqs = T.must(dependency).requirements.select { |r| r[:file] == file.name }
-        reqs.any? { |r| r[:metadata]&.dig(:type) == :helm_chart }
+      sig { params(chart_lock: Dependabot::DependencyFile, updated_content: String).returns(String) }
+      def updated_chart_lock_content(chart_lock, updated_content)
+        @updated_chart_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_chart_lock_content[chart_lock.name] ||=
+          lockfile_updater.updated_chart_lock(chart_lock, updated_content)
       end
 
-      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
-      def update_container_image?(file)
-        reqs = T.must(dependency).requirements.select { |r| r[:file] == file.name }
-        reqs.any? { |r| r[:groups]&.include?("image") }
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def chart_locks
+        @chart_locks ||= T.let(
+          dependency_files
+            .select { |f| f.name.match(CHART_LOCK_REGEXP) },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
     end
   end

data/lib/dependabot/helm/helpers.rb

@@ -0,0 +1,56 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/shared_helpers"
+require "sorbet-runtime"
+
+module Dependabot
+  module Helm
+    module Helpers
+      extend T::Sig
+
+      sig { params(name: String).returns(String) }
+      def self.search_releases(name)
+        Dependabot.logger.info("Searching Helm repository for: #{name}")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "helm search repo #{name} --versions --output=json",
+          fingerprint: "helm search repo <name> --versions --output=json"
+        ).strip
+      end
+
+      sig { params(repo_name: String, repo_url: String).returns(String) }
+      def self.add_repo(repo_name, repo_url)
+        Dependabot.logger.info("Adding Helm repository: #{repo_name} (#{repo_url})")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "helm repo add #{repo_name} #{repo_url}",
+          fingerprint: "helm repo add <repo_name> <repo_url>"
+        )
+      end
+
+      sig { returns(String) }
+      def self.update_repo
+        Dependabot.logger.info("Updating Helm repositories")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "helm repo update",
+          fingerprint: "helm repo update"
+        )
+      end
+
+      sig { returns(String) }
+      def self.update_lock
+        Dependabot.logger.info("Updating Building Lock File")
+
+        Dependabot::SharedHelpers.run_shell_command(
+          "helm dependency update",
+          fingerprint: "helm dependency update"
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/helm/update_checker.rb

@@ -8,8 +8,11 @@ require "dependabot/errors"
 require "dependabot/docker/version"
 require "dependabot/docker/requirement"
 require "dependabot/shared/utils/credentials_finder"
+require "dependabot/shared_helpers"
 require "excon"
 require "yaml"
+require "json"
+require "dependabot/helm/helpers"
 
 module Dependabot
   module Helm
@@ -38,10 +41,7 @@ module Dependabot
         dependency.requirements.map do |req|
           updated_metadata = req.fetch(:metadata).dup
           updated_req = req.dup
-          if updated_metadata.key?(:type) && updated_metadata[:type] == :helm_chart
-            updated_req[:requirement] = latest_version.to_s
-            updated_req[:source][:tag] = latest_version.to_s
-          end
+          updated_req[:requirement] = latest_version.to_s if updated_metadata.key?(:type)
 
           updated_req
         end
@@ -49,6 +49,68 @@ module Dependabot
 
       private
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      sig do
+        params(chart_name: String, repo_name: T.nilable(String),
+               repo_url: T.nilable(String)).returns(T.nilable(Gem::Version))
+      end
+      def fetch_releases_with_helm_cli(chart_name, repo_name, repo_url)
+        Dependabot.logger.info("Attempting to search for #{chart_name} using helm CLI")
+        releases = fetch_chart_releases(chart_name, repo_name, repo_url)
+
+        return nil unless releases && !releases.empty?
+
+        valid_releases = filter_valid_releases(releases)
+        return nil if valid_releases.empty?
+
+        highest_release = valid_releases.max_by { |release| version_class.new(release["version"]) }
+        Dependabot.logger.info(
+          "Found latest version #{T.must(highest_release)['version']} for #{chart_name} using helm search"
+        )
+        version_class.new(T.must(highest_release)["version"])
+      end
+
+      sig { params(chart_name: String, repo_url: T.nilable(String)).returns(T.nilable(Gem::Version)) }
+      def fetch_releases_from_index(chart_name, repo_url)
+        Dependabot.logger.info("Falling back to index.yaml search for #{chart_name}")
+        return nil unless repo_url
+
+        index_url = build_index_url(repo_url)
+        index = fetch_helm_chart_index(index_url)
+        return nil unless index && index["entries"] && index["entries"][chart_name]
+
+        all_versions = index["entries"][chart_name].map { |entry| entry["version"] }
+        Dependabot.logger.info("Found #{all_versions.length} versions for #{chart_name} in index.yaml")
+
+        valid_versions = filter_valid_versions(all_versions)
+        Dependabot.logger.info("After filtering, found #{valid_versions.length} valid versions for #{chart_name}")
+
+        return nil if valid_versions.empty?
+
+        highest_version = valid_versions.map { |v| version_class.new(v) }.max
+        Dependabot.logger.info("Highest valid version for #{chart_name} is #{highest_version}")
+
+        highest_version
+      end
+
+      sig { params(releases: T::Array[T::Hash[String, T.untyped]]).returns(T::Array[T::Hash[String, T.untyped]]) }
+      def filter_valid_releases(releases)
+        releases.reject do |release|
+          version_class.new(release["version"]) <= version_class.new(dependency.version) ||
+            ignore_requirements.any? { |r| r.satisfied_by?(version_class.new(release["version"])) }
+        end
+      end
+
+      sig { params(repo_url: String).returns(String) }
+      def build_index_url(repo_url)
+        repo_url_trimmed = repo_url.to_s.strip.chomp("/")
+        "#{repo_url_trimmed}/index.yaml"
+      end
+
       sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         false
@@ -64,9 +126,9 @@ module Dependabot
       sig { returns(T.nilable(T.any(String, Gem::Version))) }
       def fetch_latest_version
         case dependency_type
-        when :chart_dependency
+        when :helm_chart
           fetch_latest_chart_version
-        when :image_reference
+        when :docker_image
           fetch_latest_image_version
         else
           Gem::Version.new(dependency.version)
@@ -76,11 +138,66 @@ module Dependabot
       sig { returns(Symbol) }
       def dependency_type
         req = dependency.requirements.first
+        type = T.must(req).dig(:metadata, :type)
 
-        return :image_reference if T.must(req)[:groups]&.include?("image")
-        return :chart_dependency if T.must(req).dig(:metadata, :type) == :helm_chart
+        type || :unknown
+      end
 
-        :unknown
+      sig do
+        params(chart_name: String, repo_name: T.nilable(String),
+               repo_url: T.nilable(String)).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
+      end
+      def fetch_chart_releases(chart_name, repo_name = nil, repo_url = nil)
+        Dependabot.logger.info("Fetching releases for Helm chart: #{chart_name}")
+
+        if repo_name && repo_url
+          begin
+            Helpers.add_repo(repo_name, repo_url)
+            Helpers.update_repo
+          rescue StandardError => e
+            Dependabot.logger.error("Error adding/updating Helm repository: #{e.message}")
+          end
+        end
+
+        begin
+          search_command = repo_name ? "#{repo_name}/#{chart_name}" : chart_name
+          Dependabot.logger.info("Searching for: #{search_command}")
+
+          json_output = Helpers.search_releases(search_command)
+          return nil if json_output.empty?
+
+          releases = JSON.parse(json_output)
+          Dependabot.logger.info("Found #{releases.length} releases for #{chart_name}")
+          releases
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching chart releases: #{e.message}")
+          nil
+        end
+      end
+
+      sig { returns(T.nilable(Gem::Version)) }
+      def fetch_latest_chart_version
+        chart_name = dependency.name
+        source = dependency.requirements.first&.dig(:source)
+        repo_url = source&.dig(:registry)
+        repo_name = extract_repo_name(repo_url)
+
+        releases = fetch_releases_with_helm_cli(chart_name, repo_name, repo_url)
+        return releases if releases
+
+        fetch_releases_from_index(chart_name, repo_url)
+      end
+
+      sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
+      def extract_repo_name(repo_url)
+        return nil unless repo_url
+
+        name = repo_url.gsub(%r{^https?://}, "")
+        name = name.chomp("/")
+        name = name.gsub(/[^a-zA-Z0-9-]/, "-")
+        name = "repo-#{name}" unless name.match?(/^[a-zA-Z0-9]/)
+
+        name
       end
 
       sig { params(index_url: String).returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
@@ -113,32 +230,6 @@ module Dependabot
       end
 
       sig { returns(T.nilable(Gem::Version)) }
-      def fetch_latest_chart_version
-        source_url = dependency.requirements.first&.dig(:source, :registry)
-        return nil unless source_url
-
-        repo_url = source_url.to_s.strip.chomp("/")
-        chart_name = dependency.name
-        index_url = "#{repo_url}/index.yaml"
-
-        index = fetch_helm_chart_index(index_url)
-        return nil unless index && index["entries"] && index["entries"][chart_name]
-
-        all_versions = index["entries"][chart_name].map { |entry| entry["version"] }
-        Dependabot.logger.info("Found #{all_versions.length} versions for #{chart_name}")
-
-        valid_versions = filter_valid_versions(all_versions)
-        Dependabot.logger.info("After filtering, found #{valid_versions.length} valid versions for #{chart_name}")
-
-        return nil if valid_versions.empty?
-
-        highest_version = valid_versions.map { |v| version_class.new(v) }.max
-        Dependabot.logger.info("Highest valid version for #{chart_name} is #{highest_version}")
-
-        highest_version
-      end
-
-      sig { returns(T.nilable(String)) }
       def fetch_latest_image_version
         docker_dependency = build_docker_dependency
 
@@ -153,12 +244,11 @@ module Dependabot
           raise_on_ignored: raise_on_ignored
         )
 
-        latest = docker_checker.latest_version
-        latest_version_str = latest&.to_s
+        latest_version = docker_checker.latest_version
 
-        Dependabot.logger.info("Docker UpdateChecker found latest version: #{latest_version_str || 'none'}")
+        Dependabot.logger.info("Docker UpdateChecker found latest version: #{latest_version || 'none'}")
 
-        latest_version_str
+        version_class.new(latest_version)
       end
 
       sig { returns(Dependabot::Dependency) }
@@ -175,7 +265,7 @@ module Dependabot
           end
         end
 
-        registry = source[:registry] || "docker.io"
+        registry = source[:registry] || nil
 
         Dependency.new(
           name: name,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-helm
 version: !ruby/object:Gem::Version
-  version: 0.302.0
+  version: 0.303.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-20 00:00:00.000000000 Z
+date: 2025-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.303.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.303.0
 - !ruby/object:Gem::Dependency
   name: dependabot-docker
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.303.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.303.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +170,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.5
+        version: 0.8.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.5
+        version: 0.8.7
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -260,6 +260,10 @@ files:
 - lib/dependabot/helm/file_fetcher.rb
 - lib/dependabot/helm/file_parser.rb
 - lib/dependabot/helm/file_updater.rb
+- lib/dependabot/helm/file_updater/chart_updater.rb
+- lib/dependabot/helm/file_updater/image_updater.rb
+- lib/dependabot/helm/file_updater/lock_file_generator.rb
+- lib/dependabot/helm/helpers.rb
 - lib/dependabot/helm/package_manager.rb
 - lib/dependabot/helm/update_checker.rb
 homepage: https://github.com/dependabot/dependabot-core
@@ -267,7 +271,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.302.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.303.0
 post_install_message:
 rdoc_options: []
 require_paths: