spm_version_updates 1.1.1

data/lib/spm_version_updates/package_resolved.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "git_operations"
+
+# Parsing for `Package.resolved` files.
+#
+# Handles both the v1 format (pins nested under `"object"`) and the v2+ format
+# (pins at the top level). This is shared between the Xcode-project source mode
+# and the Swift package manifest source mode.
+module PackageResolved
+  # Raised when a `Package.resolved` file exists but is not valid JSON.
+  class MalformedFileError < StandardError
+    attr_reader :path
+
+    def initialize(path, parse_message)
+      @path = path
+      super("Malformed Package.resolved at #{path}: #{parse_message}")
+    end
+  end
+
+  # Extract the resolved version (or revision, when no version is pinned) for
+  # every pin in a `Package.resolved` file.
+  #
+  # @param  [String] path The path to a `Package.resolved` file
+  # @raise [MalformedFileError] if the file is not valid JSON
+  # @return [Hash<String, String>] normalized repository URL => version or revision
+  def self.versions_from(path)
+    contents = load_contents(path)
+    pins = contents["pins"] || contents.dig("object", "pins") || []
+    pins.to_h { |pin|
+      [
+        GitOperations.trim_repo_url(pin["location"] || pin["repositoryURL"]),
+        pin.dig("state", "version") || pin.dig("state", "revision"),
+      ]
+    }
+  end
+
+  def self.load_contents(path)
+    JSON.load_file!(path)
+  rescue JSON::ParserError => error
+    raise(MalformedFileError.new(path, error.message))
+  end
+
+  private_class_method :load_contents
+end

data/lib/spm_version_updates/repository_link.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "uri"
+
+# Parses supported git remote URLs and renders host-specific links.
+class RepositoryLink
+  HOSTS = {
+    "github.com" => {
+      path_normalizer: ->(segments) { segments.first(2).join("/") if segments.size >= 2 },
+      compare: ->(current, available) { "/compare/#{current}...#{available}" },
+      release: ["Releases", "/releases"]
+    },
+    "gitlab.com" => {
+      path_normalizer: ->(segments) { segments.join("/").sub(%r{/-/.*\z}, "").then { |path| path if path.count("/") >= 1 } },
+      compare: ->(current, available) { "/-/compare/#{current}...#{available}" },
+      release: ["Releases", "/-/releases"]
+    },
+    "bitbucket.org" => {
+      path_normalizer: ->(segments) { segments.first(2).join("/") if segments.size >= 2 },
+      compare: ->(current, available) { "/branches/compare/#{available}..#{current}" },
+      release: ["Tags", "/downloads/?tab=tags"]
+    }
+  }.freeze
+  SUPPORTED_HOSTS_PATTERN = Regexp.union(HOSTS.keys).source
+  REMOTE_PATTERNS = [
+    %r{\A(?:https?|git|ssh)://(?:[^@/\s]+@)?(?<host>#{SUPPORTED_HOSTS_PATTERN})(?::\d+)?/(?<path>.+)\z}i,
+    %r{\A(?:[^@/\s]+@)?(?<host>#{SUPPORTED_HOSTS_PATTERN})[:/](?<path>.+)\z}i,
+  ].freeze
+
+  private_constant :HOSTS,
+                   :SUPPORTED_HOSTS_PATTERN,
+                   :REMOTE_PATTERNS
+
+  def self.from(repository_url)
+    link = new(repository_url)
+    link if link.valid?
+  end
+
+  def initialize(repository_url)
+    @value = repository_url.to_s.strip
+    @host = nil
+    @raw_path = nil
+    @path = nil
+    configure_remote(remote_match)
+  end
+
+  def valid?
+    @host && @path
+  end
+
+  def compare_url(current, available)
+    current_ref = URI.encode_www_form_component(current.to_s)
+    available_ref = URI.encode_www_form_component(available.to_s)
+    "#{base_url}#{link_builder.fetch(:compare).call(current_ref, available_ref)}"
+  end
+
+  def release_link
+    label, path = link_builder.fetch(:release)
+    "[#{label}](#{base_url}#{path})"
+  end
+
+  def markdown_links(updates, separator: "<br>")
+    compare_links = updates.map.with_index(1) { |update, index|
+      label = updates.size == 1 ? "Compare" : "Compare #{index}"
+      "[#{label}](#{compare_url(update[:current], update[:available])})"
+    }
+    (compare_links + [release_link]).join(separator)
+  end
+
+  private
+
+  def remote_match
+    REMOTE_PATTERNS.each { |pattern|
+      match = @value.match(pattern)
+      return match if match
+    }
+
+    nil
+  end
+
+  def configure_remote(match)
+    return unless match
+
+    @host = match[:host].downcase
+    @raw_path = match[:path]
+    @path = normalized_path
+  end
+
+  def normalized_path
+    link_builder.fetch(:path_normalizer).call(path_segments)
+  end
+
+  def path_segments
+    @raw_path.to_s
+      .split(/[?#]/, 2)
+      .first
+      .to_s
+      .sub(%r{\A/+}, "")
+      .sub(%r{/+\z}, "")
+      .sub(/\.git\z/i, "")
+      .split("/")
+      .reject(&:empty?)
+  end
+
+  def base_url
+    "https://#{@host}/#{@path}"
+  end
+
+  def link_builder
+    HOSTS.fetch(@host)
+  end
+end

data/lib/spm_version_updates/repository_update_rules.rb

@@ -0,0 +1,222 @@
+# frozen_string_literal: true
+
+require "yaml"
+require_relative "git_operations"
+require_relative "semver"
+require_relative "update_severity"
+
+# Loads and evaluates per-repository semantic update suppression rules.
+class RepositoryUpdateRules
+  SEMANTIC_TYPES = ["version", "above_maximum"].freeze
+  SEVERITY_RANK = {
+    "patch" => 0,
+    "minor" => 1,
+    "major" => 2
+  }.freeze
+  YAML_KEYS = {
+    repositories: "repositories",
+    url: "url",
+    ignore_until: "ignore-until",
+    allowed_updates: "allowed-updates"
+  }.freeze
+  VALID_YAML_KEYS = {
+    root: [YAML_KEYS.fetch(:repositories)],
+    entry: YAML_KEYS.values_at(:url, :ignore_until, :allowed_updates)
+  }.freeze
+
+  # One normalized repository rule from repo-rules YAML.
+  Rule = Struct.new(:normalized_url, :ignore_until, :allowed_updates, keyword_init: true) {
+    def suppressed?(record)
+      return true if suppress_until_version?(record)
+      return true if suppress_disallowed_severity?(record)
+
+      false
+    end
+
+    private
+
+    def suppress_until_version?(record)
+      return false unless ignore_until
+
+      available = RepositoryUpdateRules.semver(RepositoryUpdateRules.record_value(record, "available_version"))
+      available && available < ignore_until
+    end
+
+    def suppress_disallowed_severity?(record)
+      return false unless allowed_updates
+
+      severity = UpdateSeverity.for_versions(
+        RepositoryUpdateRules.record_value(record, "current_version"),
+        RepositoryUpdateRules.record_value(record, "available_version")
+      )
+      severity && SEVERITY_RANK.fetch(severity) > SEVERITY_RANK.fetch(allowed_updates)
+    end
+  }
+  private_constant :Rule
+
+  def self.empty
+    new({})
+  end
+
+  def self.load_file(path)
+    path = validated_file_path(path)
+    yaml_config = YAML.safe_load_file(path, permitted_classes: [], permitted_symbols: [], aliases: false) || {}
+    from_hash(yaml_config, source: path)
+  rescue Psych::Exception => error
+    raise(ArgumentError, "repo-rules YAML is invalid in #{path}: #{error.message}")
+  end
+
+  def self.from_hash(config = {}, source: "repo rules", **keyword_config)
+    effective_config = keyword_config.empty? ? config : keyword_config
+    effective_config ||= {}
+    raise(ArgumentError, "#{source} must contain a YAML mapping") unless effective_config.kind_of?(Hash)
+
+    new(parse_repositories(repositories_from(effective_config, source), source))
+  end
+
+  def self.semver(value)
+    SpmVersionUpdates::Semver.new(value.to_s)
+  rescue ArgumentError
+    nil
+  end
+
+  def self.parse_repositories(repositories, source)
+    repositories.each_with_object({}).with_index(1) { |(entry, rules), index|
+      rule = parse_entry(entry, "#{source} repositories[#{index}]")
+      normalized_url = rule.normalized_url
+      raise(ArgumentError, "duplicate repo-rules entry for #{normalized_url}") if rules.key?(normalized_url)
+
+      rules[normalized_url] = rule
+    }
+  end
+
+  def self.parse_entry(entry, source)
+    string_keys = rule_entry_from(entry, source)
+    rule = rule_attributes(string_keys, source)
+
+    Rule.new(**rule)
+  end
+
+  def self.validated_file_path(path)
+    path = path.to_s.strip
+    raise(ArgumentError, "repo-rules-path was set but no file path was provided") if path.empty?
+    raise(ArgumentError, "repo-rules-path file does not exist: #{path}") unless File.file?(path)
+
+    path
+  end
+
+  def self.repositories_from(config, source)
+    string_keys = config.transform_keys(&:to_s)
+    validate_keys!(string_keys, VALID_YAML_KEYS.fetch(:root), "#{source} root")
+    repositories = string_keys.compact.fetch(yaml_key(:repositories), [])
+    raise(ArgumentError, "#{source} repositories must be a list") unless repositories.kind_of?(Array)
+
+    repositories
+  end
+
+  def self.rule_entry_from(entry, source)
+    raise(ArgumentError, "#{source} must be a mapping") unless entry.kind_of?(Hash)
+
+    entry.transform_keys(&:to_s).tap { |string_keys| validate_keys!(string_keys, VALID_YAML_KEYS.fetch(:entry), source) }
+  end
+
+  def self.rule_attributes(string_keys, source)
+    normalized_url = normalized_url_for(required_value(string_keys, yaml_key(:url), source))
+    ignore_until = parse_ignore_until(string_keys, source)
+    allowed_updates = parse_allowed_updates(string_keys, source)
+    raise(ArgumentError, "#{source} must set #{yaml_key(:ignore_until)} or #{yaml_key(:allowed_updates)}") unless ignore_until || allowed_updates
+
+    { normalized_url:, ignore_until:, allowed_updates: }
+  end
+
+  def self.validate_keys!(values, allowed, source)
+    unknown = values.keys - allowed
+    return if unknown.empty?
+
+    raise(ArgumentError, "#{source} contains unknown key(s): #{unknown.join(', ')}")
+  end
+
+  def self.required_value(values, key, source)
+    value = values[key].to_s.strip
+    raise(ArgumentError, "#{source} #{key} must be set") if value.empty?
+
+    value
+  end
+
+  def self.normalized_url_for(value)
+    normalized = GitOperations.trim_repo_url(value)
+    raise(ArgumentError, "repo-rules url must normalize to a repository URL") if normalized.empty?
+
+    normalized
+  end
+
+  def self.parse_ignore_until(values, source)
+    key = yaml_key(:ignore_until)
+    return unless values.key?(key)
+
+    semver(values[key].to_s.strip).tap { |version|
+      raise(ArgumentError, "#{source} #{key} must be a semantic version") unless version
+    }
+  end
+
+  def self.parse_allowed_updates(values, source)
+    key = yaml_key(:allowed_updates)
+    return unless values.key?(key)
+
+    value = values[key].to_s.strip.downcase
+    return value if SEVERITY_RANK.key?(value)
+
+    raise(ArgumentError, "#{source} #{key} must be patch, minor, or major")
+  end
+
+  def self.record_value(record, key)
+    record[key] || record[key.to_sym]
+  end
+
+  def self.yaml_key(name)
+    YAML_KEYS.fetch(name)
+  end
+
+  private_class_method(
+    :parse_repositories,
+    :parse_entry,
+    :validated_file_path,
+    :repositories_from,
+    :rule_entry_from,
+    :rule_attributes,
+    :validate_keys!,
+    :required_value,
+    :normalized_url_for,
+    :parse_ignore_until,
+    :parse_allowed_updates,
+    :yaml_key
+  )
+
+  def initialize(rules_by_repo)
+    @rules_by_repo = rules_by_repo
+  end
+
+  def empty?
+    @rules_by_repo.empty?
+  end
+
+  def suppressed?(record)
+    return false unless semantic_record?(record)
+
+    rule = @rules_by_repo[normalized_record_url(record)]
+    rule ? rule.suppressed?(record) : false
+  end
+
+  private
+
+  def semantic_record?(record)
+    SEMANTIC_TYPES.include?(self.class.record_value(record, "type").to_s)
+  end
+
+  def normalized_record_url(record)
+    rules = self.class
+    GitOperations.trim_repo_url(
+      rules.record_value(record, "normalized_url") || rules.record_value(record, "repository_url")
+    )
+  end
+end

data/lib/spm_version_updates/semver.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require "semverify"
+
+module SpmVersionUpdates
+  # SemVer value object used by both the GitHub Action and legacy Danger plugin.
+  class Semver
+    include Comparable
+
+    def self.normalize(value)
+      value.to_s
+        .sub(/\Av(?=\d)/, "")
+        .sub(/\A(\d+)\.(\d+)(?=\z|[-+])/, '\1.\2.0')
+    end
+
+    def initialize(value)
+      @version = Semverify::Semver.new(self.class.normalize(value))
+    rescue Semverify::Error => error
+      raise(ArgumentError, error.message)
+    end
+
+    def <=>(other)
+      semver_class = self.class
+      other_version = other.kind_of?(semver_class) ? other.version : semver_class.new(other).version
+      version <=> other_version
+    rescue ArgumentError
+      nil
+    end
+
+    def major
+      version.major.to_i
+    end
+
+    def minor
+      version.minor.to_i
+    end
+
+    def patch
+      version.patch.to_i
+    end
+
+    def pre
+      version.pre_release.to_s.then { |value| value.empty? ? nil : value }
+    end
+    alias pre_release pre
+
+    def to_s
+      version.to_s
+    end
+
+    protected
+
+    attr_reader :version
+  end
+end