dependanot 0.1.2 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6b6b8422f1c510199070d5eaf33c8c2fef772d09430a2aaf767fa1e644ec664
-  data.tar.gz: 820fa64f9730ed96538df5f5ca8ca63ac5d103a87f675d825519264b68f0c884
+  metadata.gz: 17784d154fbeddc3386710cab5b82326ec7e92bc0900afae82616019a58f41ea
+  data.tar.gz: 97c7cf19c1db2fca7259bfecf4eebc5aa627a05456b402c5c075f0b9e39b7399
 SHA512:
-  metadata.gz: 722e4985f630ee173803ae22f4b00a84139ba13a4473f29f4852e85418da742c1a153e59ed6eeaa0930e32bbcdcf0e21628f83081015c4c78ab21afd41461dfb
-  data.tar.gz: eb9127f744df240a387439f6a35703a7a9191c08eb2f530a82448ddf2ea2ab89184f8726f9f70ef9c0f758cfbb8a29a119ea986413071e0bb92b114cf35ec02f
+  metadata.gz: f2ef3acea6d7f6109c40095abdf26de5ea6d5f2ee2e2f23275a95391889d40570cb100caec1dc4009d8b274c13f4981f14af614e17d6bdfc16a736e38da3276e
+  data.tar.gz: f0767ac6caf6346191384fffa7dca32a160a2dcbd5da5241705b447e4b2bc786132d785ca599a99ab9990d455c0d15f14d71081e49beea1ba455447526ed83ea

data/README.md

@@ -32,7 +32,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/xlgmokha/dependabot.
+Bug reports and pull requests are welcome on GitHub at https://github.com/dependanot/cli.
 
 ## License
 

data/dependabot.gemspec

@@ -12,13 +12,16 @@ Gem::Specification.new do |spec|
   spec.homepage = "https://github.com/dependanot/cli"
   spec.license = "MIT"
   spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["rubygems_mfa_required"] = "true"
   spec.name = "dependanot"
   spec.require_paths = ["lib"]
   spec.required_ruby_version = ">= 3.0.0"
   spec.summary = "The Dependabot CLI"
   spec.version = Dependabot::VERSION
+  spec.add_dependency "bundler", "~> 2.0"
   spec.add_dependency "octokit", "~> 4.0"
   spec.add_dependency "rugged", "~> 1.2"
-  spec.add_dependency "spandx", "~> 0.1"
+  spec.add_dependency "spandx", ">= 0.18.3"
   spec.add_dependency "thor", "~> 1.1"
+  spec.add_development_dependency "debug", "~> 1.4"
 end

data/lib/dependabot/bundler/update.rb

@@ -8,7 +8,7 @@ module Dependabot
 
         Dir.chdir(dependency.path.parent) do
           ::Bundler.with_unbundled_env do
-            system "bundle update #{dependency.name} --conservative --quiet"
+            system({ "RUBYOPT" => "-W0" }, "bundle update #{dependency.name} --conservative --quiet")
           end
         end
       end

data/lib/dependabot/cli/scan.rb

@@ -3,7 +3,7 @@
 module Dependabot
   module CLI
     class Scan
-      attr_reader :path
+      attr_reader :path, :options
 
       def initialize(path, options)
         @path = ::Pathname.new(path)
@@ -12,7 +12,7 @@ module Dependabot
 
       def run
         each_dependency do |dependency|
-          update!(dependency)
+          publish_update_for(dependency)
         end
       end
 
@@ -20,7 +20,7 @@ module Dependabot
 
       def each_file(&block)
         ::Spandx::Core::PathTraversal
-          .new(path, recursive: false)
+          .new(path, recursive: options[:recursive])
           .each(&block)
       end
 
@@ -30,25 +30,9 @@ module Dependabot
         end
       end
 
-      def update!(dependency)
-        Dir.chdir(dependency.path.parent) do |path|
-          puts "Updating #{dependency.name}..."
-          branch_name = "dependanot/#{dependency.package_manager}/#{dependency.name}"
-
-          repo = Rugged::Repository.discover(dependency.path.parent)
-          branch = repo.create_branch(branch_name, repo.head.name)
-
-          ::Spandx::Core::Plugin.enhance(dependency)
-
-          repo.status do |file, status|
-            puts "#{file} has status: #{status.inspect}"
-          end
-          puts repo.index.diff.patch
-          puts
-
-          repo.branches.delete(branch_name)
-          repo.checkout_head(strategy: :force)
-        end
+      def publish_update_for(dependency)
+        ::Dependabot.logger.debug("Updating #{dependency.name}…")
+        ::Dependabot::Publish.new(dependency).update!(push: options[:push])
       end
     end
   end

data/lib/dependabot/cli.rb

@@ -7,7 +7,9 @@ require "dependabot/cli/scan"
 module Dependabot
   module CLI
     class Application < Thor
-      desc "scan [DIRECTORY]", "Scan a directory"
+      desc "scan [DIRECTORY | FILE]", "Scan a directory or file for dependencies to update"
+      method_option :push, aliases: "-p", type: :boolean, desc: "Push the update as a pull request. Default: --no-push", default: false
+      method_option :recursive, aliases: "-r", type: :boolean, desc: "Perform a recursive. Default: --no-recursive", default: false
       def scan(path = Pathname.pwd)
         ::Dependabot::CLI::Scan.new(path, options).run
       end

data/lib/dependabot/git.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Dependabot
+  class Git
+    attr_reader :repo
+
+    def initialize(path)
+      @path = path
+      @repo = Rugged::Repository.discover(path)
+    end
+
+    def checkout(branch:)
+      repo.create_branch(branch, repo.head.name)
+      repo.checkout(branch)
+    end
+
+    def push(remote: "origin", branch: "HEAD")
+      repo.push(remote, ["refs/heads/#{branch}"], credentials: credentials)
+    end
+
+    def patch
+      repo.index.diff.patch
+    end
+
+    def commit(message:, all: false)
+      repo.status { |path, status| stage(path) if status.include?(:worktree_modified) } if all
+
+      Rugged::Commit.create(repo, {
+        message: message,
+        parents: repo.empty? ? [] : [repo.head.target].compact,
+        tree: repo.index.write_tree(repo),
+        update_ref: "HEAD",
+        author: { email: "dependabot[bot]@users.noreply.github.com", name: "dependabot[bot]" },
+        committer: { email: "dependabot[bot]@users.noreply.github.com", name: "dependabot[bot]" },
+      })
+    end
+
+    private
+
+    def stage(path)
+      repo.index.add(path)
+    end
+
+    def credentials
+      if ENV["CI"]
+        Rugged::Credentials::UserPassword.new(username: "x-access-token", password: Dependabot.github.token)
+      else
+        Rugged::Credentials::SshKeyFromAgent.new(username: "git")
+      end
+    end
+  end
+end

data/lib/dependabot/publish.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Dependabot
+  class Publish
+    attr_reader :dependency
+
+    def initialize(dependency)
+      @dependency = dependency
+    end
+
+    def update!(push: false)
+      git_for(dependency, push: push) do |git|
+        ::Spandx::Core::Plugin.enhance(dependency)
+        Dependabot.logger.debug(git.patch) unless git.patch.empty?
+      end
+    end
+
+    private
+
+    def branch_name_for(dependency)
+      "dependanot/#{dependency.package_manager}/#{dependency.name}"
+    end
+
+    def git_for(dependency, branch_name: branch_name_for(dependency), push: false)
+      git = ::Dependabot::Git.new(dependency.path.parent)
+      default_branch = git.repo.head.name
+      git.checkout(branch: branch_name)
+      yield git
+      publish_pull_request_for(dependency, default_branch, branch_name, git, push) unless git.patch.empty?
+    ensure
+      git.repo.checkout_head(strategy: :force)
+      git.repo.checkout(default_branch)
+    end
+
+    def description_for(dependency)
+      <<~MARKDOWN
+        Bumps [#{dependency.name}](#)
+
+        <details>
+        <summary>Changelog</summary>
+        </details>
+
+        <details>
+        <summary>Commits</summary>
+        </details>
+
+        <br />
+
+        Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
+        ---
+
+        <details>
+        <summary>Dependabot commands and options</summary>
+        <br />
+
+        You can trigger Dependabot actions by commenting on this PR:
+        - `@dependabot rebase` will rebase this PR
+        - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
+        - `@dependabot merge` will merge this PR after your CI passes on it
+        - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
+        - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
+        - `@dependabot reopen` will reopen this PR if it is closed
+        - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
+        - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
+        - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
+        - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
+        </details>
+      MARKDOWN
+    end
+
+    def publish_pull_request_for(dependency, default_branch, branch_name, git, push)
+      git.commit(all: true, message: "chore: Update #{dependency.name}")
+      return unless push
+
+      git.push(remote: "origin", branch: branch_name)
+      Dependabot.octokit.create_pull_request(
+        GitHub.name_with_owner_from(git.repo.remotes["origin"].url),
+        default_branch,
+        branch_name,
+        "chore(deps): bump #{dependency}",
+        description_for(dependency)
+      )
+    end
+  end
+end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.1.2"
+  VERSION = "0.1.6"
 end

data/lib/dependabot.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "bundler"
 require "github"
 require "logger"
 require "octokit"
@@ -7,6 +8,8 @@ require "rugged"
 require "spandx"
 
 require_relative "dependabot/bundler/update"
+require_relative "dependabot/git"
+require_relative "dependabot/publish"
 require_relative "dependabot/tracer"
 require_relative "dependabot/version"
 
@@ -14,7 +17,11 @@ module Dependabot
   class Error < StandardError; end
 
   def self.logger
-    @logger ||= Logger.new($stderr)
+    @logger ||= Logger.new($stderr, level: ENV.fetch("LOG_LEVEL", Logger::WARN)).tap do |x|
+      x.formatter = proc do |_severity, _datetime, _progname, message|
+        "[v#{VERSION}] #{message}\n"
+      end
+    end
   end
 
   def self.tracer

data/lib/github.rb

@@ -18,6 +18,14 @@ class GitHub
     @workspace = workspace
   end
 
+  class << self
+    def name_with_owner_from(url)
+      regex = %r{(?<x>(?<scheme>https|ssh)://)?(?<username>git@)?github.com[:|/](?<nwo>\w+/\w+)(?<extension>\.git)?}
+      match = url.match(regex)
+      match && match["nwo"]
+    end
+  end
+
   private
 
   def default_api_url

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: dependanot
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.6
 platform: ruby
 authors:
 - mo khan
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-12-17 00:00:00.000000000 Z
+date: 2021-12-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: octokit
   requirement: !ruby/object:Gem::Requirement
@@ -42,16 +56,16 @@ dependencies:
   name: spandx
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: 0.18.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: 0.18.3
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
 description: The Dependabot CLI
 email:
 - xlgmokha@github.com
@@ -82,6 +110,8 @@ files:
 - lib/dependabot/bundler/update.rb
 - lib/dependabot/cli.rb
 - lib/dependabot/cli/scan.rb
+- lib/dependabot/git.rb
+- lib/dependabot/publish.rb
 - lib/dependabot/tracer.rb
 - lib/dependabot/version.rb
 - lib/github.rb
@@ -90,6 +120,7 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/dependanot/cli
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -105,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: The Dependabot CLI