dependabot-nix 0.373.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53b61523c3b571914ab9f84f386c8ab456efb4f93db7681a1721811daa723003
-  data.tar.gz: 99a851d470ab8258b980f08ac553546864d7e7d5a68375ee6d6793553f923b25
+  metadata.gz: a39e607332ed43f1d64f358f9a5d080c2981fa08ca324aa248ef707678ee5f03
+  data.tar.gz: 61b4d00c58b904848439a8d9e323bc3707518783e9319d6ea6843a0fac738b54
 SHA512:
-  metadata.gz: b560b5794a2aedca3c16c62f47f14f56255d8cf64dcce450b4d01f3783adb304ad632597bccf2dc5bed7af77aa718f3fed0bd5bda8adcdaca24d103498afc27f
-  data.tar.gz: 4c09eb9971fd0c5dc5d2b80185c41ba784edbd219bad03a3b51e4f99d2bfcdfb04261a43303f12dd7ebb392c8a2797b58112d304a5850edd9abd2c355c50e4e9
+  metadata.gz: 31087e649f9b6fb8838f9fbf08d88a635f29317d28345ac9ff5c0f97daad4bcdcbcc533f575f7f350da5cf4458b80d1dcdc139c1aba36cc2a10dbc6783af216a
+  data.tar.gz: aef6100cb0225988b52c87dfdccaae3d507231af2b44518e96fbb3ddcc78899a7fb604ff21dcb23ba19331f7402284fb9847506171e1b28c9294979361538774

data/lib/dependabot/nix/package/package_details_fetcher.rb

@@ -3,12 +3,14 @@
 
 require "json"
 require "time"
+require "uri"
 require "sorbet-runtime"
 require "dependabot/nix"
 require "dependabot/package/package_release"
 require "dependabot/package/package_details"
 require "dependabot/git_commit_checker"
 require "dependabot/git_metadata_fetcher"
+require "dependabot/clients/github_with_retries"
 
 module Dependabot
   module Nix
@@ -35,7 +37,7 @@ module Dependabot
 
         sig { returns(T.nilable(T::Array[Dependabot::Package::PackageRelease])) }
         def available_versions
-          versions_metadata = fetch_tags_and_release_date
+          versions_metadata = fetch_branch_tip_history || fetch_tags_and_release_date
 
           versions_metadata = fetch_latest_tag_info if versions_metadata.empty?
 
@@ -62,7 +64,125 @@ module Dependabot
         private
 
         TARGET_COMMITS_TO_FETCH = 500
-        private_constant :TARGET_COMMITS_TO_FETCH
+        ACTIVITY_TYPES = "push,force_push"
+        SHA_REGEX = /\A[0-9a-f]{40}\z/
+        # Heuristic for refs that look like a tag/version rather than a branch
+        # (e.g. `v1.2.3`, `1.2`, `2024.01`). Branch names like `nixos-25.05`
+        # don't match because they don't start with a digit or `v<digit>`.
+        TAG_LIKE_REF_REGEX = /\Av?\d+\./
+        private_constant :TARGET_COMMITS_TO_FETCH, :ACTIVITY_TYPES, :SHA_REGEX, :TAG_LIKE_REF_REGEX
+
+        # Fetch branch-tip history via GitHub's Repo Activity API. Each entry's
+        # `after` SHA was once the actual branch tip — for `nixpkgs` channels
+        # that means it was Hydra-evaluated and is cache-backed. The /commits
+        # endpoint, by contrast, returns intermediate commits that were never
+        # branch tips and may not be cached.
+        #
+        # Returns nil when the activity API isn't usable (non-GitHub host,
+        # SHA-pinned ref, missing ref, HTTP error). Callers should fall back to
+        # the existing /commits walker in that case.
+        sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+        def fetch_branch_tip_history
+          url = source_url
+          ref = branch_ref
+          return nil unless use_activity_api?(url, ref)
+
+          Dependabot.logger.info("Fetching branch-tip history for Nix flake input: #{dependency.name}")
+          entries = fetch_activity_entries(T.must(url), T.must(ref))
+          return nil unless entries.is_a?(Array) && entries.any?
+
+          trim_entries_to_locked_sha(entries)
+        rescue Octokit::Error => e
+          Dependabot.logger.info(
+            "Repo Activity API failed for #{dependency.name} (#{e.class}: #{e.message}), " \
+            "falling back to commits API"
+          )
+          nil
+        rescue StandardError => e
+          Dependabot.logger.error(
+            "Error fetching branch-tip history for #{dependency.name} " \
+            "(#{e.class}: #{e.message})"
+          )
+          nil
+        end
+
+        sig { params(url: String, ref: String).returns(T.untyped) }
+        def fetch_activity_entries(url, ref)
+          T.unsafe(github_client).get( # rubocop:disable Sorbet/ForbidTUnsafe
+            "/repos/#{github_repo_path(url)}/activity",
+            ref: "refs/heads/#{ref}",
+            activity_type: ACTIVITY_TYPES,
+            per_page: 100
+          )
+        end
+
+        # Trim to entries up to and including the currently locked SHA, stopping
+        # once that SHA is reached so we don't introduce candidates older than
+        # `dependency.version`.
+        sig { params(entries: T::Array[T.untyped]).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def trim_entries_to_locked_sha(entries)
+          locked = dependency.version
+          result = T.let([], T::Array[T::Hash[Symbol, T.untyped]])
+          entries.each do |e|
+            after_sha = e[:after]
+            result << { tag: after_sha, release_date: format_timestamp(e[:timestamp]) }
+
+            next unless locked
+            break if after_sha == locked
+
+            if e[:before] == locked
+              result << { tag: locked, release_date: nil } unless result.last&.fetch(:tag) == locked
+              break
+            end
+          end
+          result
+        end
+
+        sig { params(timestamp: T.untyped).returns(T.nilable(String)) }
+        def format_timestamp(timestamp)
+          return nil if timestamp.nil?
+          return timestamp.iso8601 if timestamp.respond_to?(:iso8601)
+
+          timestamp.to_s
+        end
+
+        sig { params(url: T.nilable(String), ref: T.nilable(String)).returns(T::Boolean) }
+        def use_activity_api?(url, ref)
+          return false unless url && ref
+          return false if ref.match?(SHA_REGEX)
+          return false if ref.match?(TAG_LIKE_REF_REGEX)
+
+          host = URI.parse(url).host
+          host == "github.com"
+        rescue URI::InvalidURIError
+          false
+        end
+
+        sig { params(url: String).returns(String) }
+        def github_repo_path(url)
+          T.must(URI.parse(url).path)
+           .delete_prefix("/")
+           .delete_suffix("/")
+           .delete_suffix(".git")
+        end
+
+        sig { returns(T.nilable(String)) }
+        def source_url
+          dependency.source_details(allowed_types: ["git"])&.fetch(:url, nil)
+        end
+
+        sig { returns(T.nilable(String)) }
+        def branch_ref
+          dependency.source_details(allowed_types: ["git"])&.fetch(:ref, nil)
+        end
+
+        sig { returns(Dependabot::Clients::GithubWithRetries) }
+        def github_client
+          @github_client ||= T.let(
+            Dependabot::Clients::GithubWithRetries.for_github_dot_com(credentials: credentials),
+            T.nilable(Dependabot::Clients::GithubWithRetries)
+          )
+        end
 
         sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def fetch_latest_tag_info

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nix
 version: !ruby/object:Gem::Version
-  version: 0.373.0
+  version: 0.374.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -259,7 +259,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.373.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.374.0
 rdoc_options: []
 require_paths:
 - lib