dependabot-terraform 0.279.0 → 0.281.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d37ae246539b7134c6d776e782b70ef1125acc9e230600f03836ab8d363de079
|
4
|
+
data.tar.gz: 1256f419f1e57ac20446b3cd5d677f481cc075b685bae54ee5def7bba5e6ec03
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f26e6943c4c843fa2d37c14393ffaa6046a976a6b4929baa69936a8f2a4afb7bf8c6e9615a7b228aa4371c488c59a7c9d5fbb8fad88c88c233860d0e50a784c5
|
7
|
+
data.tar.gz: 5555620a9d25d7ee7383ba013e04b9b4a4ce7566378e9af17954afc0c7991d51d3854b60bde0ac51a518c295cf67859aaf471987e8e6c64ad68905b8b5b0dcad
|
@@ -269,7 +269,7 @@ module Dependabot
|
|
269
269
|
if git_url.include?("git@")
|
270
270
|
T.must(git_url.split("git@").last).sub(":", "/")
|
271
271
|
else
|
272
|
-
git_url.sub(%r{
|
272
|
+
git_url.sub(%r{(?:\w{3,5})?://}, "")
|
273
273
|
end
|
274
274
|
|
275
275
|
querystr = URI.parse("https://" + bare_uri).query
|
@@ -292,6 +292,7 @@ module Dependabot
|
|
292
292
|
end
|
293
293
|
|
294
294
|
# rubocop:disable Metrics/PerceivedComplexity
|
295
|
+
# rubocop:disable Metrics/CyclomaticComplexity
|
295
296
|
sig { params(source_string: String).returns(Symbol) }
|
296
297
|
def source_type(source_string)
|
297
298
|
return :interpolation if source_string.include?("${")
|
@@ -308,11 +309,12 @@ module Dependabot
|
|
308
309
|
|
309
310
|
path_uri = URI.parse(T.must(source_string.split(%r{(?<!:)//}).first))
|
310
311
|
query_uri = URI.parse(source_string)
|
311
|
-
return :http_archive if path_uri.path
|
312
|
+
return :http_archive if RegistryClient::ARCHIVE_EXTENSIONS.any? { |ext| path_uri.path&.end_with?(ext) }
|
312
313
|
return :http_archive if query_uri.query&.include?("archive=")
|
313
314
|
|
314
315
|
raise "HTTP source, but not an archive!"
|
315
316
|
end
|
317
|
+
# rubocop:enable Metrics/CyclomaticComplexity
|
316
318
|
# rubocop:enable Metrics/PerceivedComplexity
|
317
319
|
|
318
320
|
# == Returns:
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
@@ -20,10 +20,12 @@ module Dependabot
|
|
20
20
|
MODULE_NOT_INSTALLED_ERROR = /Module not installed.*module\s*\"(?<mod>\S+)\"/m
|
21
21
|
GIT_HTTPS_PREFIX = %r{^git::https://}
|
22
22
|
|
23
|
+
sig { override.returns(T::Array[Regexp]) }
|
23
24
|
def self.updated_files_regex
|
24
25
|
[/\.tf$/, /\.hcl$/]
|
25
26
|
end
|
26
27
|
|
28
|
+
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
27
29
|
def updated_dependency_files
|
28
30
|
updated_files = []
|
29
31
|
|
@@ -69,23 +71,25 @@ module Dependabot
|
|
69
71
|
# (requirements - previous_requirements) | (previous_requirements - requirements)
|
70
72
|
# => [{requirement: "0.9.1"}]
|
71
73
|
# we can detect that change.
|
74
|
+
sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
|
72
75
|
def requirement_changed?(file, dependency)
|
73
76
|
changed_requirements =
|
74
|
-
(dependency.requirements - dependency.previous_requirements) |
|
75
|
-
(dependency.previous_requirements - dependency.requirements)
|
77
|
+
(dependency.requirements - T.must(dependency.previous_requirements)) |
|
78
|
+
(T.must(dependency.previous_requirements) - dependency.requirements)
|
76
79
|
|
77
80
|
changed_requirements.any? { |f| f[:file] == file.name }
|
78
81
|
end
|
79
82
|
|
83
|
+
sig { params(file: Dependabot::DependencyFile).returns(String) }
|
80
84
|
def updated_terraform_file_content(file)
|
81
|
-
content = file.content.dup
|
85
|
+
content = T.must(file.content.dup)
|
82
86
|
|
83
|
-
reqs = dependency.requirements.zip(dependency.previous_requirements)
|
87
|
+
reqs = dependency.requirements.zip(T.must(dependency.previous_requirements))
|
84
88
|
.reject { |new_req, old_req| new_req == old_req }
|
85
89
|
|
86
90
|
# Loop through each changed requirement and update the files and lockfile
|
87
91
|
reqs.each do |new_req, old_req|
|
88
|
-
raise "Bad req match" unless new_req[:file] == old_req
|
92
|
+
raise "Bad req match" unless new_req[:file] == old_req&.fetch(:file)
|
89
93
|
next unless new_req.fetch(:file) == file.name
|
90
94
|
|
91
95
|
case new_req[:source][:type]
|
@@ -102,20 +106,37 @@ module Dependabot
|
|
102
106
|
content
|
103
107
|
end
|
104
108
|
|
109
|
+
sig do
|
110
|
+
params(
|
111
|
+
new_req: T::Hash[Symbol, T.untyped],
|
112
|
+
old_req: T.nilable(T::Hash[Symbol, T.untyped]),
|
113
|
+
updated_content: String,
|
114
|
+
filename: String
|
115
|
+
)
|
116
|
+
.void
|
117
|
+
end
|
105
118
|
def update_git_declaration(new_req, old_req, updated_content, filename)
|
106
|
-
url = old_req
|
107
|
-
tag = old_req
|
119
|
+
url = old_req&.dig(:source, :url)&.gsub(%r{^https://}, "")
|
120
|
+
tag = old_req&.dig(:source, :ref)
|
108
121
|
url_regex = /#{Regexp.quote(url)}.*ref=#{Regexp.quote(tag)}/
|
109
122
|
|
110
123
|
declaration_regex = git_declaration_regex(filename)
|
111
124
|
|
112
125
|
updated_content.sub!(declaration_regex) do |regex_match|
|
113
126
|
regex_match.sub(url_regex) do |url_match|
|
114
|
-
url_match.sub(old_req
|
127
|
+
url_match.sub(old_req&.dig(:source, :ref), new_req[:source][:ref])
|
115
128
|
end
|
116
129
|
end
|
117
130
|
end
|
118
131
|
|
132
|
+
sig do
|
133
|
+
params(
|
134
|
+
new_req: T::Hash[Symbol, T.untyped],
|
135
|
+
old_req: T.nilable(T::Hash[Symbol, T.untyped]),
|
136
|
+
updated_content: String
|
137
|
+
)
|
138
|
+
.void
|
139
|
+
end
|
119
140
|
def update_registry_declaration(new_req, old_req, updated_content)
|
120
141
|
regex = if new_req[:source][:type] == "provider"
|
121
142
|
provider_declaration_regex(updated_content)
|
@@ -124,18 +145,20 @@ module Dependabot
|
|
124
145
|
end
|
125
146
|
updated_content.gsub!(regex) do |regex_match|
|
126
147
|
regex_match.sub(/^\s*version\s*=.*/) do |req_line_match|
|
127
|
-
req_line_match.sub(old_req
|
148
|
+
req_line_match.sub(old_req&.fetch(:requirement), new_req[:requirement])
|
128
149
|
end
|
129
150
|
end
|
130
151
|
end
|
131
152
|
|
153
|
+
sig { params(content: String, declaration_regex: Regexp).returns(T::Array[String]) }
|
132
154
|
def extract_provider_h1_hashes(content, declaration_regex)
|
133
155
|
content.match(declaration_regex).to_s
|
134
156
|
.match(hashes_object_regex).to_s
|
135
157
|
.split("\n").map { |hash| hash.match(hashes_string_regex).to_s }
|
136
|
-
.select { |h| h
|
158
|
+
.select { |h| h.match?(/^h1:/) }
|
137
159
|
end
|
138
160
|
|
161
|
+
sig { params(content: String, declaration_regex: Regexp).returns(String) }
|
139
162
|
def remove_provider_h1_hashes(content, declaration_regex)
|
140
163
|
content.match(declaration_regex).to_s
|
141
164
|
.sub(hashes_object_regex, "")
|
@@ -155,8 +178,9 @@ module Dependabot
|
|
155
178
|
[T.must(content), provider_source, declaration_regex]
|
156
179
|
end
|
157
180
|
|
181
|
+
sig { returns(T.nilable(T::Array[Symbol])) }
|
158
182
|
def lookup_hash_architecture # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
|
159
|
-
new_req = dependency.requirements.first
|
183
|
+
new_req = T.must(dependency.requirements.first)
|
160
184
|
|
161
185
|
# NOTE: Only providers are included in the lockfile, modules are not
|
162
186
|
return unless new_req[:source][:type] == "provider"
|
@@ -222,14 +246,23 @@ module Dependabot
|
|
222
246
|
architectures.to_a
|
223
247
|
end
|
224
248
|
|
249
|
+
sig { returns(T::Array[Symbol]) }
|
225
250
|
def architecture_type
|
226
|
-
@architecture_type ||=
|
251
|
+
@architecture_type ||= T.let(
|
252
|
+
if lookup_hash_architecture.nil? || lookup_hash_architecture&.empty?
|
253
|
+
[:linux_amd64]
|
254
|
+
else
|
255
|
+
T.must(lookup_hash_architecture)
|
256
|
+
end,
|
257
|
+
T.nilable(T::Array[Symbol])
|
258
|
+
)
|
227
259
|
end
|
228
260
|
|
261
|
+
sig { params(updated_manifest_files: T::Array[Dependabot::DependencyFile]).returns(T.nilable(String)) }
|
229
262
|
def update_lockfile_declaration(updated_manifest_files) # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
|
230
263
|
return if lockfile.nil?
|
231
264
|
|
232
|
-
new_req = dependency.requirements.first
|
265
|
+
new_req = T.must(dependency.requirements.first)
|
233
266
|
# NOTE: Only providers are included in the lockfile, modules are not
|
234
267
|
return unless new_req[:source][:type] == "provider"
|
235
268
|
|
@@ -268,7 +301,7 @@ module Dependabot
|
|
268
301
|
raise if @retrying_lock || !e.message.include?("terraform init")
|
269
302
|
|
270
303
|
# NOTE: Modules need to be installed before terraform can update the lockfile
|
271
|
-
@retrying_lock = true
|
304
|
+
@retrying_lock = T.let(true, T.nilable(T::Boolean))
|
272
305
|
run_terraform_init
|
273
306
|
retry
|
274
307
|
end
|
@@ -276,6 +309,7 @@ module Dependabot
|
|
276
309
|
content
|
277
310
|
end
|
278
311
|
|
312
|
+
sig { void }
|
279
313
|
def run_terraform_init
|
280
314
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
281
315
|
# -backend=false option used to ignore any backend configuration, as these won't be accessible
|
@@ -298,30 +332,36 @@ module Dependabot
|
|
298
332
|
end
|
299
333
|
end
|
300
334
|
|
335
|
+
sig { returns(Dependabot::Dependency) }
|
301
336
|
def dependency
|
302
337
|
# Terraform updates will only ever be updating a single dependency
|
303
|
-
dependencies.first
|
338
|
+
T.must(dependencies.first)
|
304
339
|
end
|
305
340
|
|
341
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
306
342
|
def files_with_requirement
|
307
343
|
filenames = dependency.requirements.map { |r| r[:file] }
|
308
344
|
dependency_files.select { |file| filenames.include?(file.name) }
|
309
345
|
end
|
310
346
|
|
347
|
+
sig { override.void }
|
311
348
|
def check_required_files
|
312
349
|
return if [*terraform_files, *terragrunt_files].any?
|
313
350
|
|
314
351
|
raise "No Terraform configuration file!"
|
315
352
|
end
|
316
353
|
|
354
|
+
sig { returns(Regexp) }
|
317
355
|
def hashes_object_regex
|
318
356
|
/hashes\s*=\s*[^\]]*\]/m
|
319
357
|
end
|
320
358
|
|
359
|
+
sig { returns(Regexp) }
|
321
360
|
def hashes_string_regex
|
322
361
|
/(?<=\").*(?=\")/
|
323
362
|
end
|
324
363
|
|
364
|
+
sig { params(updated_content: String).returns(Regexp) }
|
325
365
|
def provider_declaration_regex(updated_content)
|
326
366
|
name = Regexp.escape(dependency.name)
|
327
367
|
registry_host = Regexp.escape(registry_host_for(dependency))
|
@@ -341,6 +381,7 @@ module Dependabot
|
|
341
381
|
end
|
342
382
|
end
|
343
383
|
|
384
|
+
sig { returns(Regexp) }
|
344
385
|
def registry_declaration_regex
|
345
386
|
%r{
|
346
387
|
(?<=\{)
|
@@ -354,6 +395,7 @@ module Dependabot
|
|
354
395
|
}mx
|
355
396
|
end
|
356
397
|
|
398
|
+
sig { params(filename: String).returns(Regexp) }
|
357
399
|
def git_declaration_regex(filename)
|
358
400
|
# For terragrunt dependencies there's not a lot we can base the
|
359
401
|
# regex on. Just look for declarations within a `terraform` block
|
@@ -361,13 +403,14 @@ module Dependabot
|
|
361
403
|
|
362
404
|
# For modules we can do better - filter for module blocks that use the
|
363
405
|
# name of the module
|
364
|
-
module_name = dependency.name.split("::").first
|
406
|
+
module_name = T.must(dependency.name.split("::").first)
|
365
407
|
/
|
366
408
|
module\s+["']#{Regexp.escape(module_name)}["']\s*\{
|
367
409
|
(?:(?!^\}).)*
|
368
410
|
/mx
|
369
411
|
end
|
370
412
|
|
413
|
+
sig { params(dependency: Dependabot::Dependency).returns(String) }
|
371
414
|
def registry_host_for(dependency)
|
372
415
|
source = dependency.requirements.filter_map { |r| r[:source] }.first
|
373
416
|
source[:registry_hostname] || source["registry_hostname"] || "registry.terraform.io"
|
@@ -25,11 +25,13 @@ module Dependabot
|
|
25
25
|
# rubocop:disable Metrics/PerceivedComplexity
|
26
26
|
# See https://www.terraform.io/docs/modules/sources.html#http-urls for
|
27
27
|
# details of how Terraform handle HTTP(S) sources for modules
|
28
|
-
|
28
|
+
# rubocop:disable Metrics/AbcSize
|
29
|
+
# rubocop:disable Metrics/CyclomaticComplexity
|
30
|
+
def self.get_proxied_source(raw_source)
|
29
31
|
return raw_source unless raw_source.start_with?("http")
|
30
32
|
|
31
33
|
uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
|
32
|
-
return raw_source if uri.path
|
34
|
+
return raw_source if ARCHIVE_EXTENSIONS.any? { |ext| uri.path&.end_with?(ext) }
|
33
35
|
return raw_source if URI.parse(raw_source).query&.include?("archive=")
|
34
36
|
|
35
37
|
url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
|
@@ -49,6 +51,8 @@ module Dependabot
|
|
49
51
|
|
50
52
|
raw_source
|
51
53
|
end
|
54
|
+
# rubocop:enable Metrics/CyclomaticComplexity
|
55
|
+
# rubocop:enable Metrics/AbcSize
|
52
56
|
# rubocop:enable Metrics/PerceivedComplexity
|
53
57
|
|
54
58
|
# Fetch all the versions of a provider, and return a Version
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-terraform
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.281.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-10-
|
11
|
+
date: 2024-10-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.281.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.281.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -156,14 +156,14 @@ dependencies:
|
|
156
156
|
requirements:
|
157
157
|
- - "~>"
|
158
158
|
- !ruby/object:Gem::Version
|
159
|
-
version: 0.8.
|
159
|
+
version: 0.8.5
|
160
160
|
type: :development
|
161
161
|
prerelease: false
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
163
163
|
requirements:
|
164
164
|
- - "~>"
|
165
165
|
- !ruby/object:Gem::Version
|
166
|
-
version: 0.8.
|
166
|
+
version: 0.8.5
|
167
167
|
- !ruby/object:Gem::Dependency
|
168
168
|
name: simplecov
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
@@ -260,7 +260,7 @@ licenses:
|
|
260
260
|
- MIT
|
261
261
|
metadata:
|
262
262
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
263
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
263
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.281.0
|
264
264
|
post_install_message:
|
265
265
|
rdoc_options: []
|
266
266
|
require_paths:
|