dependabot-terraform 0.317.0 → 0.318.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b7055fe970a2f595c719cd45b125f54ea2e264b9ef1b29f34366a323d2c39a41
-  data.tar.gz: 526f1865cc6eb012a364740a4e6fa3784e5d0d066bb3bb0826ceb3807138e934
+  metadata.gz: 9aeadb67b3052b13cdaab12209c8be0e0c47aa7cc9077573fbe10396d2f63469
+  data.tar.gz: 340bfd127b2153d12aaa520abbae5d95bd86c5229aeaf73a316b4153af7fb6bb
 SHA512:
-  metadata.gz: 4b627d2cb8fc9ddb8cce9bbd29b3eb67d33d8df747c9610c6ceb8789fa4d16cb85a136930e478a8f4b3705811fd6034e3102a7fc881c880477ab07cd17ba68fc
-  data.tar.gz: 9bbc4238991c385ad673235de866d6f63cf03ed341ae40f094636db50b3076bd8f5bb0812ea96c631e9b08e7f825833275a99c1b1d65bc4c41e2a69af19ea6ba
+  metadata.gz: 94807295eb7c44635117a07a30d6073f744d40768d8f1ac45815aa1ffa421149c3c7e7dea7921e22cda1528a1959a6af000dd42e69ae2a305b3972c151a3565c
+  data.tar.gz: da3966cf9b5003da0d1ed7b2a08db979e83cc4d27cd717f070c627c78648bd6ad4b25dcd9a83e46b0af738f1098a2f666685a8844621a1b10158170896add941

data/lib/dependabot/terraform/package/package_details_fetcher.rb

@@ -0,0 +1,135 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "json"
+require "time"
+require "cgi"
+require "excon"
+require "sorbet-runtime"
+require "dependabot/swift"
+
+module Dependabot
+  module Terraform
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+
+        RELEASES_URL_GIT = "https://api.github.com/repos/"
+        RELEASE_URL_FOR_PROVIDER = "https://registry.terraform.io/v2/providers/"
+        RELEASE_URL_FOR_MODULE = "https://registry.terraform.io/v2/modules/"
+        APPLICATION_JSON = "JSON"
+        INCLUDE_FOR_PROVIDER = "?include=provider-versions"
+        INCLUDE_FOR_MODULE = "?include=module-versions"
+        # https://registry.terraform.io/v2/providers/hashicorp/aws?include=provider-versions
+        # https://registry.terraform.io/v2/modules/terraform-aws-modules/iam/aws?include=module-versions
+
+        ELIGIBLE_SOURCE_TYPES = T.let(
+          %w(git provider registry).freeze,
+          T::Array[String]
+        )
+
+        sig do
+          params(
+            dependency: Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            git_commit_checker: Dependabot::GitCommitChecker
+          ).void
+        end
+        def initialize(dependency:, credentials:, git_commit_checker:)
+          @dependency = dependency
+          @credentials = credentials
+          @git_commit_checker = git_commit_checker
+        end
+
+        sig { returns(Dependabot::GitCommitChecker) }
+        attr_reader :git_commit_checker
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(T::Array[GitTagWithDetail]) }
+        def fetch_tag_and_release_date
+          truncate_github_url = @dependency.name.gsub("github.com/", "")
+          url = RELEASES_URL_GIT + "#{truncate_github_url}/releases"
+          result_lines = T.let([], T::Array[GitTagWithDetail])
+          # Fetch the releases from the GitHub API
+          response = Excon.get(url, headers: { "Accept" => "application/vnd.github.v3+json" })
+          Dependabot.logger.error("Failed call details: #{response.body}") unless response.status == 200
+          return result_lines unless response.status == 200
+
+          # Parse the JSON response
+          releases = JSON.parse(response.body)
+
+          # Extract version names and release dates into a hash
+          releases.map do |release|
+            result_lines << GitTagWithDetail.new(
+              tag: release["tag_name"],
+              release_date: release["published_at"]
+            )
+          end
+
+          # sort the result lines by tag in descending order
+          result_lines = result_lines.sort_by(&:tag).reverse
+          # Log the extracted details for debugging
+          Dependabot.logger.info("Extracted release details: #{result_lines}")
+          result_lines
+        end
+
+        sig { returns(T::Array[GitTagWithDetail]) }
+        def fetch_tag_and_release_date_from_provider
+          url = RELEASE_URL_FOR_PROVIDER + dependency_source_details&.fetch(:module_identifier) +
+                INCLUDE_FOR_PROVIDER
+          Dependabot.logger.info("Fetching provider release details from URL: #{url}")
+          result_lines = T.let([], T::Array[GitTagWithDetail])
+          # Fetch the releases from the provider API
+          response = Excon.get(url, headers: { "Accept" => "application/vnd.github.v3+json" })
+          Dependabot.logger.error("Failed call details: #{response.body}") unless response.status == 200
+          return result_lines unless response.status == 200
+
+          # Parse the JSON response
+          releases = JSON.parse(response.body).fetch("provider_versions", [])
+
+          # Extract version names and release dates into result_lines
+          releases.each do |release|
+            result_lines << GitTagWithDetail.new(
+              tag: release["version"],
+              release_date: release["published_at"]
+            )
+          end
+          # Sort the result lines by tag in descending order
+          result_lines.sort_by(&:tag).reverse
+        end
+
+        sig { returns(T::Array[GitTagWithDetail]) }
+        def fetch_tag_and_release_date_from_module
+          url = RELEASE_URL_FOR_MODULE + dependency_source_details&.fetch(:module_identifier) +
+                INCLUDE_FOR_MODULE
+          Dependabot.logger.info("Fetching provider release details from URL: #{url}")
+          result_lines = T.let([], T::Array[GitTagWithDetail])
+          # Fetch the releases from the provider API
+          response = Excon.get(url, headers: { "Accept" => "application/vnd.github.v3+json" })
+          Dependabot.logger.error("Failed call details: #{response.body}") unless response.status == 200
+          return result_lines unless response.status == 200
+
+          # Parse the JSON response
+          releases = JSON.parse(response.body).fetch("module-versions", [])
+
+          # Extract version names and release dates into result_lines
+          releases.each do |release|
+            result_lines << GitTagWithDetail.new(
+              tag: release["version"],
+              release_date: release["published_at"]
+            )
+          end
+          # Sort the result lines by tag in descending order
+          result_lines.sort_by(&:tag).reverse
+        end
+
+        sig { returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped])) }
+        def dependency_source_details
+          @dependency.source_details(allowed_types: ELIGIBLE_SOURCE_TYPES)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/terraform/update_checker/latest_version_resolver.rb

@@ -0,0 +1,200 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/base"
+require "dependabot/terraform/package/package_details_fetcher"
+require "sorbet-runtime"
+require "dependabot/git_commit_checker"
+
+module Dependabot
+  module Terraform
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class LatestVersionResolver
+        extend T::Sig
+
+        DAY_IN_SECONDS = T.let(24 * 60 * 60, Integer)
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
+            git_commit_checker: Dependabot::GitCommitChecker
+          ).void
+        end
+        def initialize(dependency:, credentials:, cooldown_options:, git_commit_checker:)
+          @dependency = dependency
+          @credentials = credentials
+          @cooldown_options = cooldown_options
+          @git_commit_checker = T.let(
+            git_commit_checker,
+            Dependabot::GitCommitChecker
+          )
+        end
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        # Return latest version tag for the dependency, it removes tags that are in cooldown period
+        # and returns the latest version tag that is not in cooldown period. If exception occurs
+        # it will return the latest version tag from the git_commit_checker. as it was before
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def latest_version_tag
+          # step one fetch allowed version tags and
+          allowed_version_tags = git_commit_checker.allowed_version_tags
+          begin
+            # sort the allowed version tags by name in descending order
+            select_version_tags_in_cooldown_period&.each do |tag_name|
+              # filter out if name is not in cooldown period
+              allowed_version_tags.reject! do |gitref_filtered|
+                true if gitref_filtered.name == tag_name
+              end
+            end
+            Dependabot.logger.info("Allowed version tags after filtering versions in cooldown:
+              #{allowed_version_tags.map(&:name).join(', ')}")
+            git_commit_checker.max_local_tag(allowed_version_tags)
+          rescue StandardError => e
+            Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+            git_commit_checker.local_tag_for_latest_version
+          end
+        end
+
+        # To filter versions in cooldown period based on version tags from registry call
+        sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
+        def filter_versions_in_cooldown_period_from_provider(versions)
+          # to make call for registry to get the versions
+          # step one fetch allowed version tags and
+
+          # sort the allowed version tags by name in descending order
+          select_tags_which_in_cooldown_from_provider&.each do |tag_name|
+            # Iterate through versions and filter out those matching the tag_name
+            versions.reject! do |version|
+              version.to_s == tag_name
+            end
+          end
+          Dependabot.logger.info("Allowed version tags after filtering versions in cooldown:
+                #{versions.map(&:to_s).join(', ')}")
+          versions
+        rescue StandardError => e
+          Dependabot.logger.error("Error filter_versions_in_cooldown_period_from_provider(versions): #{e.message}")
+          versions
+        end
+
+        # To filter versions in cooldown period based on version tags from registry call
+        sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
+        def filter_versions_in_cooldown_period_from_module(versions)
+          # to make call for registry to get the versions
+          # step one fetch allowed version tags and
+
+          # sort the allowed version tags by name in descending order
+          select_tags_which_in_cooldown_from_module&.each do |tag_name|
+            # Iterate through versions and filter out those matching the tag_name
+            versions.reject! do |version|
+              version.to_s == tag_name
+            end
+          end
+          Dependabot.logger.info("filter_versions_in_cooldown_period_from_module::
+              Allowed version tags after filtering versions in cooldown:#{versions.map(&:to_s).join(', ')}")
+          versions
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching latest version tag: #{e.message}")
+          versions
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_version_tags_in_cooldown_period
+          version_tags_in_cooldown_period = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_period << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_period
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_period
+        end
+
+        sig { params(release_date: String).returns(T::Boolean) }
+        def check_if_version_in_cooldown_period?(release_date)
+          return false unless release_date.length.positive?
+
+          cooldown = @cooldown_options
+          return false unless cooldown
+
+          return false if cooldown.nil?
+
+          # Get maximum cooldown days based on semver parts
+          days = [cooldown.default_days, cooldown.semver_major_days].max
+          days = cooldown.semver_minor_days unless days > cooldown.semver_minor_days
+          days = cooldown.semver_patch_days unless days > cooldown.semver_patch_days
+          # Calculate the number of seconds passed since the release
+          passed_seconds = Time.now.to_i - release_date_to_seconds(release_date)
+          # Check if the release is within the cooldown period
+          passed_seconds < days * DAY_IN_SECONDS
+        end
+
+        sig { params(release_date: String).returns(Integer) }
+        def release_date_to_seconds(release_date)
+          Time.parse(release_date).to_i
+        rescue ArgumentError => e
+          Dependabot.logger.error("Invalid release date format: #{release_date} and error: #{e.message}")
+          0 # Default to 360 days in seconds if parsing fails, so that it will not be in cooldown
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_tags_which_in_cooldown_from_provider
+          version_tags_in_cooldown_from_provider = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date_from_provider.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_from_provider << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_from_provider
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_from_provider
+        end
+
+        sig { returns(T.nilable(T::Array[String])) }
+        def select_tags_which_in_cooldown_from_module
+          version_tags_in_cooldown_from_module = T.let([], T::Array[String])
+
+          package_details_fetcher.fetch_tag_and_release_date_from_module.each do |git_tag_with_detail|
+            if check_if_version_in_cooldown_period?(T.must(git_tag_with_detail.release_date))
+              version_tags_in_cooldown_from_module << git_tag_with_detail.tag
+            end
+          end
+          version_tags_in_cooldown_from_module
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown: #{e.message}")
+          version_tags_in_cooldown_from_module
+        end
+
+        sig { returns(Package::PackageDetailsFetcher) }
+        def package_details_fetcher
+          @package_details_fetcher ||= T.let(
+            Package::PackageDetailsFetcher.new(
+              dependency: dependency,
+              credentials: credentials,
+              git_commit_checker: git_commit_checker
+            ), T.nilable(Package::PackageDetailsFetcher)
+          )
+        end
+
+        sig { returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_swift)
+        end
+
+        sig { returns(Dependabot::GitCommitChecker) }
+        attr_reader :git_commit_checker
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+      end
+    end
+  end
+end

data/lib/dependabot/terraform/update_checker.rb

@@ -16,6 +16,8 @@ module Dependabot
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       extend T::Sig
 
+      require_relative "update_checker/latest_version_resolver"
+
       ELIGIBLE_SOURCE_TYPES = T.let(
         %w(git provider registry).freeze,
         T::Array[String]
@@ -79,9 +81,10 @@ module Dependabot
         return @latest_version_for_registry_dependency if @latest_version_for_registry_dependency
 
         versions = all_module_versions
+        # Filter versions which are in cooldown period
+        latest_version_resolver.filter_versions_in_cooldown_period_from_module(versions)
         versions.reject!(&:prerelease?) unless wants_prerelease?
         versions.reject! { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
-
         @latest_version_for_registry_dependency = T.let(
           versions.max,
           T.nilable(Dependabot::Terraform::Version)
@@ -118,6 +121,8 @@ module Dependabot
         return @latest_version_for_provider_dependency if @latest_version_for_provider_dependency
 
         versions = all_provider_versions
+        # Filter versions which are in cooldown period
+        latest_version_resolver.filter_versions_in_cooldown_period_from_provider(versions)
         versions.reject!(&:prerelease?) unless wants_prerelease?
         versions.reject! { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
 
@@ -153,8 +158,8 @@ module Dependabot
         # we want to update that tag. Because we don't have a lockfile, the
         # latest version is the tag itself.
         if git_commit_checker.pinned_ref_looks_like_version?
-          latest_tag = git_commit_checker.local_tag_for_latest_version
-                                         &.fetch(:tag)
+          # Filter version tags that are in cooldown period
+          latest_tag =  latest_version_resolver.latest_version_tag&.fetch(:tag)
           version_rgx = GitCommitChecker::VERSION_REGEX
           return unless latest_tag.match(version_rgx)
 
@@ -214,6 +219,16 @@ module Dependabot
         git_commit_checker.git_dependency?
       end
 
+      sig { returns(LatestVersionResolver) }
+      def latest_version_resolver
+        LatestVersionResolver.new(
+          dependency: dependency,
+          credentials: credentials,
+          cooldown_options: update_cooldown,
+          git_commit_checker: git_commit_checker
+        )
+      end
+
       sig { returns(Dependabot::GitCommitChecker) }
       def git_commit_checker
         @git_commit_checker ||= T.let(

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.317.0
+  version: 0.318.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.317.0
+        version: 0.318.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.317.0
+        version: 0.318.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -249,18 +249,20 @@ files:
 - lib/dependabot/terraform/file_selector.rb
 - lib/dependabot/terraform/file_updater.rb
 - lib/dependabot/terraform/metadata_finder.rb
+- lib/dependabot/terraform/package/package_details_fetcher.rb
 - lib/dependabot/terraform/package_manager.rb
 - lib/dependabot/terraform/registry_client.rb
 - lib/dependabot/terraform/requirement.rb
 - lib/dependabot/terraform/requirements_updater.rb
 - lib/dependabot/terraform/update_checker.rb
+- lib/dependabot/terraform/update_checker/latest_version_resolver.rb
 - lib/dependabot/terraform/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.317.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.318.0
 rdoc_options: []
 require_paths:
 - lib