dependabot-helm 0.310.0 → 0.311.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/helm/helpers.rb +25 -0
- data/lib/dependabot/helm/package_manager.rb +1 -1
- data/lib/dependabot/helm/update_checker.rb +40 -1
- data/lib/dependabot/helm/version.rb +100 -0
- data/lib/dependabot/helm.rb +3 -1
- metadata +12 -11
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a4b54115834be1156fae985ea9407c7a02a6b5e96b7bfd781df3035452813cc1
|
|
4
|
+
data.tar.gz: 1c66887b733f1ba078ced605d360f5c8cb0eba32a06f095b74c1e2f4c015782f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 33da54922f3c7bd7d9a86418deed00a9e189965f22495ddb4a1ee810f193e905268d8da0caf37a7ca2763a1014679c9af30a0d4bb7a2e605c7bb1485fce53ebc
|
|
7
|
+
data.tar.gz: cf6e8954811a5c63ac882995aca63c2f86b92e1d28c01a4fdddd20c93071755d23e5abfc35bbd333f9ac7cc797cc9162a41cbfad75c5362bbc5ba823c2970c4b
|
|
@@ -66,6 +66,31 @@ module Dependabot
|
|
|
66
66
|
)
|
|
67
67
|
raise
|
|
68
68
|
end
|
|
69
|
+
|
|
70
|
+
sig { params(username: String, password: String, repository_url: String).returns(String) }
|
|
71
|
+
def self.oci_registry_login(username, password, repository_url)
|
|
72
|
+
Dependabot.logger.info("Logging into OCI registry \"#{repository_url}\"")
|
|
73
|
+
|
|
74
|
+
Dependabot::SharedHelpers.run_shell_command(
|
|
75
|
+
"oras login --username #{username} --password #{password} #{repository_url}",
|
|
76
|
+
fingerprint: "oras login --username <username> --password <password> <repository_url>"
|
|
77
|
+
)
|
|
78
|
+
rescue StandardError => e
|
|
79
|
+
Dependabot.logger.error(
|
|
80
|
+
"Failed to authenticate for #{repository_url}: #{e.message}"
|
|
81
|
+
)
|
|
82
|
+
raise
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
sig { params(name: String).returns(String) }
|
|
86
|
+
def self.fetch_oci_tags(name)
|
|
87
|
+
Dependabot.logger.info("Searching OCI tags for: #{name}")
|
|
88
|
+
|
|
89
|
+
Dependabot::SharedHelpers.run_shell_command(
|
|
90
|
+
"oras repo tags #{name}",
|
|
91
|
+
fingerprint: "oras repo tags <name>"
|
|
92
|
+
).strip
|
|
93
|
+
end
|
|
69
94
|
end
|
|
70
95
|
end
|
|
71
96
|
end
|
|
@@ -5,7 +5,7 @@ require "sorbet-runtime"
|
|
|
5
5
|
require "dependabot/update_checkers"
|
|
6
6
|
require "dependabot/update_checkers/base"
|
|
7
7
|
require "dependabot/errors"
|
|
8
|
-
require "dependabot/
|
|
8
|
+
require "dependabot/helm/version"
|
|
9
9
|
require "dependabot/docker/requirement"
|
|
10
10
|
require "dependabot/shared/utils/credentials_finder"
|
|
11
11
|
require "dependabot/shared_helpers"
|
|
@@ -191,6 +191,19 @@ module Dependabot
|
|
|
191
191
|
raise PrivateSourceAuthenticationFailure, repo_url
|
|
192
192
|
end
|
|
193
193
|
|
|
194
|
+
sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
|
|
195
|
+
def authenticate_oci_registry_source(repo_url)
|
|
196
|
+
return unless repo_url
|
|
197
|
+
|
|
198
|
+
repo_creds = Shared::Utils::CredentialsFinder.new(@credentials, private_repository_type: "helm_registry")
|
|
199
|
+
.credentials_for_registry(repo_url)
|
|
200
|
+
return unless repo_creds
|
|
201
|
+
|
|
202
|
+
Helpers.oci_registry_login(T.must(repo_creds["username"]), T.must(repo_creds["password"]), repo_url)
|
|
203
|
+
rescue StandardError
|
|
204
|
+
raise PrivateSourceAuthenticationFailure, repo_url
|
|
205
|
+
end
|
|
206
|
+
|
|
194
207
|
sig { returns(T.nilable(Gem::Version)) }
|
|
195
208
|
def fetch_latest_chart_version
|
|
196
209
|
chart_name = dependency.name
|
|
@@ -201,9 +214,35 @@ module Dependabot
|
|
|
201
214
|
releases = fetch_releases_with_helm_cli(chart_name, repo_name, repo_url)
|
|
202
215
|
return releases if releases
|
|
203
216
|
|
|
217
|
+
tag = fetch_latest_oci_tag(chart_name, repo_url) if repo_url&.start_with?("oci://")
|
|
218
|
+
return tag if tag
|
|
219
|
+
|
|
204
220
|
fetch_releases_from_index(chart_name, repo_url)
|
|
205
221
|
end
|
|
206
222
|
|
|
223
|
+
sig { params(chart_name: String, repo_url: String).returns(T.nilable(Gem::Version)) }
|
|
224
|
+
def fetch_latest_oci_tag(chart_name, repo_url)
|
|
225
|
+
tags = fetch_oci_tags(chart_name, repo_url)
|
|
226
|
+
return nil unless tags && !tags.empty?
|
|
227
|
+
|
|
228
|
+
valid_tags = filter_valid_versions(tags)
|
|
229
|
+
return nil if valid_tags.empty?
|
|
230
|
+
|
|
231
|
+
highest_tag = valid_tags.map { |v| version_class.new(v) }.max
|
|
232
|
+
Dependabot.logger.info("Highest valid OCI tag for #{chart_name} is #{highest_tag}")
|
|
233
|
+
highest_tag
|
|
234
|
+
end
|
|
235
|
+
|
|
236
|
+
sig { params(chart_name: String, repo_url: String).returns(T.nilable(T::Array[String])) }
|
|
237
|
+
def fetch_oci_tags(chart_name, repo_url)
|
|
238
|
+
Dependabot.logger.info("Fetching OCI tags for #{repo_url}")
|
|
239
|
+
oci_registry = repo_url.gsub("oci://", "")
|
|
240
|
+
authenticate_oci_registry_source(repo_url)
|
|
241
|
+
|
|
242
|
+
release_tags = Helpers.fetch_oci_tags("#{oci_registry}/#{chart_name}").split("\n")
|
|
243
|
+
release_tags.map { |tag| tag.tr("_", "+") }
|
|
244
|
+
end
|
|
245
|
+
|
|
207
246
|
sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
|
|
208
247
|
def extract_repo_name(repo_url)
|
|
209
248
|
return nil unless repo_url
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "dependabot/version"
|
|
5
|
+
require "dependabot/utils"
|
|
6
|
+
require "dependabot/docker/tag"
|
|
7
|
+
require "sorbet-runtime"
|
|
8
|
+
|
|
9
|
+
module Dependabot
|
|
10
|
+
module Helm
|
|
11
|
+
# In the special case of Java, the version string may also contain
|
|
12
|
+
# optional "update number" and "identifier" components.
|
|
13
|
+
# See https://www.oracle.com/java/technologies/javase/versioning-naming.html
|
|
14
|
+
# for a description of Java versions.
|
|
15
|
+
#
|
|
16
|
+
class Version < Dependabot::Version
|
|
17
|
+
extend T::Sig
|
|
18
|
+
# The regex has limits for the 0,255 and 1,255 repetitions to avoid infinite limits which makes codeql angry.
|
|
19
|
+
# A docker image cannot be longer than 255 characters anyways.
|
|
20
|
+
HELM_VERSION_REGEX = /^(?<prefix>[a-z._\-]{0,255})[_\-v]?(?<version>[^+]{1,255})(\+(?<digest>.+))?$/
|
|
21
|
+
|
|
22
|
+
sig { override.params(version: VersionParameter).void }
|
|
23
|
+
def initialize(version)
|
|
24
|
+
parsed_version = version.to_s.match(HELM_VERSION_REGEX)
|
|
25
|
+
release_part, update_part = T.must(T.must(parsed_version)[:version]).split("_", 2)
|
|
26
|
+
|
|
27
|
+
# The numeric_version is needed here to validate the version string (ex: 20.9.0-alpine3.18)
|
|
28
|
+
# when the call is made via Dependabot Api to convert the image version to semver.
|
|
29
|
+
release_part = Dependabot::Docker::Tag.new(
|
|
30
|
+
T.must(release_part).chomp(".").chomp("-").chomp("_")
|
|
31
|
+
).numeric_version
|
|
32
|
+
|
|
33
|
+
@digest = T.let(T.must(parsed_version)[:digest], T.nilable(String))
|
|
34
|
+
@release_part = T.let(Dependabot::Version.new(T.must(release_part).tr("-", ".")), Dependabot::Version)
|
|
35
|
+
@update_part = T.let(
|
|
36
|
+
Dependabot::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0),
|
|
37
|
+
Dependabot::Version
|
|
38
|
+
)
|
|
39
|
+
|
|
40
|
+
super(@release_part)
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
sig { override.params(version: VersionParameter).returns(T::Boolean) }
|
|
44
|
+
def self.correct?(version)
|
|
45
|
+
return true if version.is_a?(Gem::Version)
|
|
46
|
+
|
|
47
|
+
# We can't call new here because Gem::Version calls self.correct? in its initialize method
|
|
48
|
+
# causing an infinite loop, so instead we check if the release_part of the version is correct
|
|
49
|
+
parsed_version = version.to_s.match(HELM_VERSION_REGEX)
|
|
50
|
+
return false if parsed_version.nil?
|
|
51
|
+
|
|
52
|
+
release_part, = T.must(parsed_version[:version]).split("_", 2)
|
|
53
|
+
release_part = Dependabot::Docker::Tag.new(
|
|
54
|
+
T.must(release_part).chomp(".").chomp("-").chomp("_")
|
|
55
|
+
).numeric_version
|
|
56
|
+
return false unless release_part
|
|
57
|
+
|
|
58
|
+
super(release_part.to_s)
|
|
59
|
+
rescue ArgumentError
|
|
60
|
+
# if we can't instantiate a version, it can't be correct
|
|
61
|
+
false
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
sig { override.returns(String) }
|
|
65
|
+
def to_semver
|
|
66
|
+
@release_part.to_semver
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
sig { returns(T::Array[String]) }
|
|
70
|
+
def segments
|
|
71
|
+
@release_part.segments
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
sig { returns(T.nilable(String)) }
|
|
75
|
+
def to_s
|
|
76
|
+
return nil if @release_part.nil?
|
|
77
|
+
|
|
78
|
+
version_string = @release_part.to_s
|
|
79
|
+
version_string += "+#{@digest}" unless @digest.nil?
|
|
80
|
+
version_string
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
sig { returns(Dependabot::Version) }
|
|
84
|
+
attr_reader :release_part
|
|
85
|
+
|
|
86
|
+
sig { params(other: Dependabot::Helm::Version).returns(T.nilable(Integer)) }
|
|
87
|
+
def <=>(other)
|
|
88
|
+
sort_criteria <=> other.sort_criteria
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
sig { returns(T::Array[Dependabot::Version]) }
|
|
92
|
+
def sort_criteria
|
|
93
|
+
[@release_part, @update_part]
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
Dependabot::Utils
|
|
100
|
+
.register_version_class("helm", Dependabot::Helm::Version)
|
data/lib/dependabot/helm.rb
CHANGED
|
@@ -11,10 +11,12 @@ require "dependabot/helm/file_parser"
|
|
|
11
11
|
require "dependabot/helm/file_updater"
|
|
12
12
|
require "dependabot/helm/update_checker"
|
|
13
13
|
|
|
14
|
-
Dependabot::Utils.register_version_class("helm", Dependabot::Docker::Version)
|
|
15
14
|
Dependabot::Utils.register_requirement_class("helm", Dependabot::Docker::Requirement)
|
|
16
15
|
Dependabot::MetadataFinders.register("helm", Dependabot::Docker::MetadataFinder)
|
|
17
16
|
|
|
17
|
+
require "dependabot/helm/version"
|
|
18
|
+
Dependabot::Utils.register_version_class("helm", Dependabot::Helm::Version)
|
|
19
|
+
|
|
18
20
|
require "dependabot/pull_request_creator/labeler"
|
|
19
21
|
Dependabot::PullRequestCreator::Labeler
|
|
20
22
|
.register_label_details("helm", name: "helm", colour: "E5F2FC")
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-helm
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.311.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-
|
|
10
|
+
date: 2025-05-01 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: dependabot-common
|
|
@@ -15,28 +15,28 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.311.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.311.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: dependabot-docker
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
29
29
|
requirements:
|
|
30
30
|
- - '='
|
|
31
31
|
- !ruby/object:Gem::Version
|
|
32
|
-
version: 0.
|
|
32
|
+
version: 0.311.0
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
35
|
version_requirements: !ruby/object:Gem::Requirement
|
|
36
36
|
requirements:
|
|
37
37
|
- - '='
|
|
38
38
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: 0.
|
|
39
|
+
version: 0.311.0
|
|
40
40
|
- !ruby/object:Gem::Dependency
|
|
41
41
|
name: debug
|
|
42
42
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -237,16 +237,16 @@ dependencies:
|
|
|
237
237
|
name: webrick
|
|
238
238
|
requirement: !ruby/object:Gem::Requirement
|
|
239
239
|
requirements:
|
|
240
|
-
- - "
|
|
240
|
+
- - "~>"
|
|
241
241
|
- !ruby/object:Gem::Version
|
|
242
|
-
version: '1.
|
|
242
|
+
version: '1.9'
|
|
243
243
|
type: :development
|
|
244
244
|
prerelease: false
|
|
245
245
|
version_requirements: !ruby/object:Gem::Requirement
|
|
246
246
|
requirements:
|
|
247
|
-
- - "
|
|
247
|
+
- - "~>"
|
|
248
248
|
- !ruby/object:Gem::Version
|
|
249
|
-
version: '1.
|
|
249
|
+
version: '1.9'
|
|
250
250
|
description: Dependabot-Helm provides support for bumping Helm image tags via Dependabot.
|
|
251
251
|
If you want support for multiple package managers, you probably want the meta-gem
|
|
252
252
|
dependabot-omnibus.
|
|
@@ -265,12 +265,13 @@ files:
|
|
|
265
265
|
- lib/dependabot/helm/helpers.rb
|
|
266
266
|
- lib/dependabot/helm/package_manager.rb
|
|
267
267
|
- lib/dependabot/helm/update_checker.rb
|
|
268
|
+
- lib/dependabot/helm/version.rb
|
|
268
269
|
homepage: https://github.com/dependabot/dependabot-core
|
|
269
270
|
licenses:
|
|
270
271
|
- MIT
|
|
271
272
|
metadata:
|
|
272
273
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
273
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
274
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.311.0
|
|
274
275
|
rdoc_options: []
|
|
275
276
|
require_paths:
|
|
276
277
|
- lib
|