dependabot-opentofu 0.348.1

data/lib/dependabot/opentofu/requirements_updater.rb

@@ -0,0 +1,223 @@
+# typed: strict
+# frozen_string_literal: true
+
+####################################################################
+# For more details on OpenTofu version constraints, see:           #
+# https://opentofu.org/docs/language/modules/#published-modules    #
+####################################################################
+
+require "sorbet-runtime"
+
+require "dependabot/opentofu/version"
+require "dependabot/opentofu/requirement"
+
+module Dependabot
+  module Opentofu
+    # Takes an array of `requirements` hashes for a dependency at the old
+    # version and a new version, and generates a set of new `requirements`
+    # hashes at the new version.
+    #
+    # A requirements hash is a basic description of a dependency at a certain
+    # version constraint, and it includes the data that is needed to update the
+    # manifest (i.e. the `.tf` file) with the new version.
+    #
+    # A requirements hash looks like this for a registry hosted requirement:
+    # ```ruby
+    # {
+    #   requirement: "~> 0.2.1",
+    #   groups: [],
+    #   file: "main.tf",
+    #   source: {
+    #     type: "registry",
+    #     registry_hostname: "registry.opentofu.org",
+    #     module_identifier: "hashicorp/consul/aws"
+    #   }
+    # }
+    #
+    # And like this for a git requirement:
+    # ```ruby
+    # {
+    #   requirement: nil,
+    #   groups: [],
+    #   file: "main.tf",
+    #   source: {
+    #     type: "git",
+    #     url: "https://github.com/cloudposse/terraform-null-label.git",
+    #     branch: nil,
+    #     ref: nil
+    #   }
+    # }
+    class RequirementsUpdater
+      extend T::Sig
+
+      # @param requirements [Hash{Symbol => String, Array, Hash}]
+      # @param latest_version [Dependabot::Opentofu::Version]
+      # @param tag_for_latest_version [String, NilClass]
+      sig do
+        params(
+          requirements: T::Array[T::Hash[Symbol, T.untyped]],
+          latest_version: T.nilable(Dependabot::Version::VersionParameter),
+          tag_for_latest_version: T.nilable(String)
+        ).void
+      end
+      def initialize(requirements:, latest_version:, tag_for_latest_version:)
+        @requirements = requirements
+        @tag_for_latest_version = tag_for_latest_version
+
+        return unless latest_version
+        return unless version_class.correct?(latest_version)
+
+        @latest_version = T.let(version_class.new(latest_version), Dependabot::Opentofu::Version)
+      end
+
+      # @return requirements [Hash{Symbol => String, Array, Hash}]
+      #   * requirement [String, NilClass] the updated version constraint
+      #   * groups [Array] no-op for OpenTofu
+      #   * file [String] the file that specified this dependency
+      #   * source [Hash{Symbol => String}] The updated git or registry source details
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def updated_requirements
+        # NOTE: Order is important here. The FileUpdater needs the updated
+        # requirement at index `i` to correspond to the previous requirement
+        # at the same index.
+        requirements.map do |req|
+          case req.dig(:source, :type)
+          when "git" then update_git_requirement(req)
+          when "registry", "provider" then update_registry_requirement(req)
+          else req
+          end
+        end
+      end
+
+      private
+
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      attr_reader :requirements
+
+      sig { returns(Dependabot::Opentofu::Version) }
+      attr_reader :latest_version
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :tag_for_latest_version
+
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+      def update_git_requirement(req)
+        return req unless req.dig(:source, :ref)
+        return req unless tag_for_latest_version
+
+        req.merge(source: req[:source].merge(ref: tag_for_latest_version))
+      end
+
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+      def update_registry_requirement(req)
+        return req if req.fetch(:requirement).nil?
+
+        string_req = req.fetch(:requirement).strip
+        ruby_req = requirement_class.new(string_req)
+        return req if ruby_req.satisfied_by?(latest_version)
+
+        new_req =
+          if ruby_req.exact? then latest_version.to_s
+          elsif string_req.start_with?("~>")
+            update_twiddle_version(string_req).to_s
+          else
+            update_range(string_req).map(&:to_s).join(", ")
+          end
+
+        req.merge(requirement: new_req)
+      end
+
+      # Updates the version in a "~>" constraint to allow the given version
+      sig { params(req_string: String).returns(String) }
+      def update_twiddle_version(req_string)
+        old_version = requirement_class.new(req_string)
+                                       .requirements.first.last
+        updated_version = at_same_precision(latest_version, old_version)
+        req_string.sub(old_version.to_s, updated_version)
+      end
+
+      sig { params(req_string: String).returns(T::Array[Dependabot::Opentofu::Requirement]) }
+      def update_range(req_string)
+        requirement_class.new(req_string).requirements.flat_map do |r|
+          ruby_req = requirement_class.new(r.join(" "))
+          next ruby_req if ruby_req.satisfied_by?(latest_version)
+
+          case op = ruby_req.requirements.first.first
+          when "<", "<=" then [update_greatest_version(ruby_req, latest_version)]
+          when "!=" then []
+          else raise "Unexpected operation for unsatisfied req: #{op}"
+          end
+        end
+      end
+
+      sig do
+        params(
+          new_version: Dependabot::Opentofu::Version,
+          old_version: Dependabot::Opentofu::Version
+        )
+          .returns(String)
+      end
+      def at_same_precision(new_version, old_version)
+        release_precision =
+          old_version.to_s.split(".").count { |i| i.match?(/^\d+$/) }
+        prerelease_precision =
+          old_version.to_s.split(".").count - release_precision
+
+        new_release =
+          new_version.to_s.split(".").first(release_precision)
+        new_prerelease =
+          new_version.to_s.split(".")
+                     .drop_while { |i| i.match?(/^\d+$/) }
+                     .first([prerelease_precision, 1].max)
+
+        [*new_release, *new_prerelease].join(".")
+      end
+
+      # Updates the version in a "<" or "<=" constraint to allow the given
+      # version
+      sig do
+        params(
+          requirement: Dependabot::Requirement,
+          version_to_be_permitted: T.any(String, Dependabot::Opentofu::Version)
+        )
+          .returns(Dependabot::Opentofu::Requirement)
+      end
+      def update_greatest_version(requirement, version_to_be_permitted)
+        if version_to_be_permitted.is_a?(String)
+          version_to_be_permitted =
+            version_class.new(version_to_be_permitted)
+        end
+        op, version = requirement.requirements.first
+        version = version.release if version.prerelease?
+
+        # When 'less than'/'<',
+        # increment the last available segment only so that the new version is within the constraint
+        if op == "<"
+          new_segments = version.segments.map.with_index do |_, index|
+            version_to_be_permitted.segments[index]
+          end
+          new_segments[-1] += 1
+        # When 'less-than/equal'/'<=', use the new version as-is even when previously set as a non-semver version
+        # OpenTofu treats shortened versions the same as a version with any remaining segments as 0
+        # Example: '0.2' is treated as '0.2.0' | '1' is treated as '1.0.0'
+        elsif op == "<="
+          new_segments = version_to_be_permitted.segments
+        else
+          raise "Unexpected operation: #{op}"
+        end
+
+        requirement_class.new("#{op} #{new_segments.join('.')}")
+      end
+
+      sig { returns(T.class_of(Dependabot::Opentofu::Version)) }
+      def version_class
+        Version
+      end
+
+      sig { returns(T.class_of(Dependabot::Opentofu::Requirement)) }
+      def requirement_class
+        Requirement
+      end
+    end
+  end
+end

data/lib/dependabot/opentofu/update_checker/latest_version_resolver.rb

@@ -0,0 +1,217 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/base"
+require "dependabot/opentofu/package/package_details_fetcher"
+require "sorbet-runtime"
+require "dependabot/git_commit_checker"
+
+module Dependabot
+  module Opentofu
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class LatestVersionResolver
+        extend T::Sig
+
+        DAY_IN_SECONDS = T.let(24 * 60 * 60, Integer)
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
+            git_commit_checker: Dependabot::GitCommitChecker
+          ).void
+        end
+        def initialize(dependency:, credentials:, cooldown_options:, git_commit_checker:)
+          @dependency = dependency
+          @credentials = credentials
+          @cooldown_options = cooldown_options
+          @git_commit_checker = T.let(
+            git_commit_checker,
+            Dependabot::GitCommitChecker
+          )
+        end
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        # Return latest version tag for the dependency, it removes tags that are in cooldown period
+        # and returns the latest version tag that is not in cooldown period. If exception occurs
+        # it will return the latest version tag from the git_commit_checker. as it was before
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def latest_version_tag
+          # step one fetch allowed version tags and
+          allowed_version_tags = git_commit_checker.allowed_version_tags
+          begin
+            if cooldown_enabled?
+              # sort the allowed version tags by name in descending order
+              select_version_tags_in_cooldown_period&.each do |tag_name|
+                # filter out if name is not in cooldown period
+                allowed_version_tags.reject! do |gitref_filtered|
+                  true if gitref_filtered.name == tag_name
+                end
+              end
+            end
+            Dependabot.logger.info(
+              "Allowed version tags after filtering versions in cooldown:
+              #{allowed_version_tags.map(&:name).join(', ')}"
+            )
+            git_commit_checker.max_local_tag(allowed_version_tags)
+          rescue StandardError => e
+            Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+            git_commit_checker.local_tag_for_latest_version
+          end
+        end
+
+        # To filter versions in cooldown period based on version tags from registry call
+        sig do
+          params(versions: T::Array[Dependabot::Opentofu::Version])
+            .returns(T::Array[Dependabot::Opentofu::Version])
+        end
+        def filter_versions_in_cooldown_period_from_provider(versions)
+          # to make call for registry to get the versions
+          # step one fetch allowed version tags and
+
+          # sort the allowed version tags by name in descending order
+          select_tags_which_in_cooldown_from_provider&.each do |tag_name|
+            # Iterate through versions and filter out those matching the tag_name
+            versions.reject! do |version|
+              version.to_s == tag_name
+            end
+          end
+          Dependabot.logger.info(
+            "Allowed version tags after filtering versions in cooldown:
+                #{versions.map(&:to_s).join(', ')}"
+          )
+          versions
+        rescue StandardError => e
+          Dependabot.logger.error("Error filter_versions_in_cooldown_period_from_provider(versions): #{e.message}")
+          versions
+        end
+
+        # To filter versions in cooldown period based on version tags from registry call
+        sig do
+          params(versions: T::Array[Dependabot::Opentofu::Version])
+            .returns(T::Array[Dependabot::Opentofu::Version])
+        end
+        def filter_versions_in_cooldown_period_from_module(versions)
+          # to make call for registry to get the versions
+          # step one fetch allowed version tags and
+
+          # sort the allowed version tags by name in descending order
+          select_tags_which_in_cooldown_from_module&.each do |tag_name|
+            # Iterate through versions and filter out those matching the tag_name
+            versions.reject! do |version|
+              version.to_s == tag_name
+            end
+          end
+          Dependabot.logger.info(
+            "filter_versions_in_cooldown_period_from_module::
+              Allowed version tags after filtering versions in cooldown:#{versions.map(&:to_s).join(', ')}"
+          )
+          versions
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+          versions
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_version_tags_in_cooldown_period
+          version_tags_in_cooldown_period = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_period << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_period
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_period
+        end
+
+        sig { params(release_date: String).returns(T::Boolean) }
+        def check_if_version_in_cooldown_period?(release_date)
+          return false unless release_date.length.positive?
+
+          cooldown = @cooldown_options
+          return false unless cooldown
+
+          return false if cooldown.nil?
+
+          # Calculate the number of seconds passed since the release
+          passed_seconds = Time.now.to_i - release_date_to_seconds(release_date)
+          # Check if the release is within the cooldown period
+          passed_seconds < cooldown.default_days * DAY_IN_SECONDS
+        end
+
+        sig { params(release_date: String).returns(Integer) }
+        def release_date_to_seconds(release_date)
+          Time.parse(release_date).to_i
+        rescue ArgumentError => e
+          Dependabot.logger.error("Invalid release date format: #{release_date} and error: #{e.message}")
+          0 # Default to 360 days in seconds if parsing fails, so that it will not be in cooldown
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_tags_which_in_cooldown_from_provider
+          version_tags_in_cooldown_from_provider = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date_from_provider.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_from_provider << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_from_provider
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_from_provider
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_tags_which_in_cooldown_from_module
+          version_tags_in_cooldown_from_module = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date_from_module.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_from_module << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_from_module
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_from_module
+        end
+
+        sig { returns(Package::PackageDetailsFetcher) }
+        def package_details_fetcher
+          @package_details_fetcher ||= T.let(
+            Package::PackageDetailsFetcher.new(
+              dependency: dependency,
+              credentials: credentials,
+              git_commit_checker: git_commit_checker
+            ),
+            T.nilable(Package::PackageDetailsFetcher)
+          )
+        end
+
+        sig { returns(T::Boolean) }
+        def cooldown_enabled?
+          # This is a simple check to see if user has put cooldown days.
+          # If not set, then we aassume user does not want cooldown.
+          # Since OpenTofu does not support Semver versioning, So option left
+          # for the user is to set cooldown default days.
+          return false if @cooldown_options.nil?
+
+          @cooldown_options.default_days.positive?
+        end
+
+        sig { returns(Dependabot::GitCommitChecker) }
+        attr_reader :git_commit_checker
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+      end
+    end
+  end
+end

data/lib/dependabot/opentofu/update_checker.rb

@@ -0,0 +1,264 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/git_commit_checker"
+require "dependabot/opentofu/requirements_updater"
+require "dependabot/opentofu/requirement"
+require "dependabot/opentofu/version"
+require "dependabot/opentofu/registry_client"
+
+module Dependabot
+  module Opentofu
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      extend T::Sig
+
+      require_relative "update_checker/latest_version_resolver"
+
+      ELIGIBLE_SOURCE_TYPES = T.let(
+        %w(git provider registry).freeze,
+        T::Array[String]
+      )
+
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
+      def latest_version
+        return latest_version_for_git_dependency if git_dependency?
+        return latest_version_for_registry_dependency if registry_dependency?
+
+        latest_version_for_provider_dependency if provider_dependency?
+        # Other sources (mercurial, path dependencies) just return `nil`
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
+      def latest_resolvable_version
+        # No concept of resolvability for terraform modules (that we're aware
+        # of - there may be in future).
+        latest_version
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_resolvable_version_with_no_unlock
+        # TODO: Update later to use lock files
+        nil
+      end
+
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: latest_version&.to_s,
+          tag_for_latest_version: tag_for_latest_version
+        ).updated_requirements
+      end
+
+      sig { returns(T::Boolean) }
+      def requirements_unlocked_or_can_be?
+        # If the requirement comes from a proxy URL then there's no way for
+        # us to update it
+        !proxy_requirement?
+      end
+
+      private
+
+      sig { override.returns(T::Boolean) }
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't relevant for OpenTofu files
+        false
+      end
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      sig { returns(T.nilable(Dependabot::Opentofu::Version)) }
+      def latest_version_for_registry_dependency
+        return unless registry_dependency?
+
+        return @latest_version_for_registry_dependency if @latest_version_for_registry_dependency
+
+        versions = all_module_versions
+        # Filter versions which are in cooldown period
+        if cooldown_enabled? # rubocop:disable Style/IfUnlessModifier
+          versions = latest_version_resolver.filter_versions_in_cooldown_period_from_module(versions)
+        end
+        versions.reject!(&:prerelease?) unless wants_prerelease?
+        versions.reject! { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
+        @latest_version_for_registry_dependency = T.let(
+          versions.max,
+          T.nilable(Dependabot::Opentofu::Version)
+        )
+      end
+
+      sig { returns(T::Array[Dependabot::Opentofu::Version]) }
+      def all_module_versions
+        identifier = dependency_source_details&.fetch(:module_identifier)
+        registry_client.all_module_versions(identifier: identifier)
+      end
+
+      sig { returns(T::Array[Dependabot::Opentofu::Version]) }
+      def all_provider_versions
+        identifier = dependency_source_details&.fetch(:module_identifier)
+        registry_client.all_provider_versions(identifier: identifier)
+      end
+
+      sig { returns(Dependabot::Opentofu::RegistryClient) }
+      def registry_client
+        @registry_client ||= T.let(
+          begin
+            hostname = dependency_source_details&.fetch(:registry_hostname)
+            RegistryClient.new(hostname: hostname, credentials: credentials)
+          end,
+          T.nilable(Dependabot::Opentofu::RegistryClient)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::Opentofu::Version)) }
+      def latest_version_for_provider_dependency
+        return unless provider_dependency?
+
+        return @latest_version_for_provider_dependency if @latest_version_for_provider_dependency
+
+        versions = all_provider_versions
+        # Filter versions which are in cooldown period
+        if cooldown_enabled?
+          versions = latest_version_resolver.filter_versions_in_cooldown_period_from_provider(versions)
+        end
+        versions.reject!(&:prerelease?) unless wants_prerelease?
+        versions.reject! { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
+
+        @latest_version_for_provider_dependency = T.let(
+          versions.max,
+          T.nilable(Dependabot::Opentofu::Version)
+        )
+      end
+
+      sig { returns(T::Boolean) }
+      def wants_prerelease?
+        current_version = dependency.version
+        if current_version &&
+           version_class.correct?(current_version) &&
+           version_class.new(current_version).prerelease?
+          return true
+        end
+
+        dependency.requirements.any? do |req|
+          req[:requirement]&.match?(/\d-[A-Za-z0-9]/)
+        end
+      end
+
+      sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
+      def latest_version_for_git_dependency
+        # If the module isn't pinned then there's nothing for us to update
+        # (since there's no lockfile to update the version in). We still
+        # return the latest commit for the given branch, in order to keep
+        # this method consistent
+        return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. Because we don't have a lockfile, the
+        # latest version is the tag itself.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          # Filter version tags that are in cooldown period
+          latest_tag =  latest_version_resolver.latest_version_tag&.fetch(:tag)
+          version_rgx = GitCommitChecker::VERSION_REGEX
+          return unless latest_tag.match(version_rgx)
+
+          version = latest_tag.match(version_rgx)
+                              .named_captures.fetch("version")
+          return version_class.new(version)
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        nil
+      end
+
+      sig { returns(T.nilable(String)) }
+      def tag_for_latest_version
+        return unless git_commit_checker.git_dependency?
+        return unless git_commit_checker.pinned?
+        return unless git_commit_checker.pinned_ref_looks_like_version?
+
+        latest_tag = git_commit_checker.local_tag_for_latest_version
+                                       &.fetch(:tag)
+
+        version_rgx = GitCommitChecker::VERSION_REGEX
+        return unless latest_tag.match(version_rgx)
+
+        latest_tag
+      end
+
+      sig { returns(T::Boolean) }
+      def proxy_requirement?
+        dependency.requirements.any? do |req|
+          req.fetch(:source)&.fetch(:proxy_url, nil)
+        end
+      end
+
+      sig { returns(T::Boolean) }
+      def registry_dependency?
+        return false if dependency_source_details.nil?
+
+        dependency_source_details&.fetch(:type) == "registry"
+      end
+
+      sig { returns(T::Boolean) }
+      def provider_dependency?
+        return false if dependency_source_details.nil?
+
+        dependency_source_details&.fetch(:type) == "provider"
+      end
+
+      sig { returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped])) }
+      def dependency_source_details
+        dependency.source_details(allowed_types: ELIGIBLE_SOURCE_TYPES)
+      end
+
+      sig { returns(T::Boolean) }
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      sig { returns(LatestVersionResolver) }
+      def latest_version_resolver
+        LatestVersionResolver.new(
+          dependency: dependency,
+          credentials: credentials,
+          cooldown_options: update_cooldown,
+          git_commit_checker: git_commit_checker
+        )
+      end
+
+      sig { returns(Dependabot::GitCommitChecker) }
+      def git_commit_checker
+        @git_commit_checker ||= T.let(
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: raise_on_ignored
+          ),
+          T.nilable(Dependabot::GitCommitChecker)
+        )
+      end
+
+      sig { returns(T::Boolean) }
+      def cooldown_enabled?
+        # This is a simple check to see if user has put cooldown days.
+        # If not set, then we aassume user does not want cooldown.
+        # Since OpenTofu does not support Semver versioning, So option left
+        # for the user is to set cooldown default days.
+        return false if update_cooldown.nil?
+
+        T.must(update_cooldown&.default_days).positive?
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers
+  .register("opentofu", Dependabot::Opentofu::UpdateChecker)