spm_version_updates 1.1.1

data/lib/spm_version_updates/upgrade_suggestion.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# Derives per-update upgrade guidance from a package's requirement kind and the
+# available version: the SwiftPM identity, a ready-to-run `swift package update`
+# command (manifest mode only), and the manifest requirement change needed when
+# the new version is outside the declared constraint. Shared between the GitHub
+# Action reporters and the Danger plugin.
+module UpgradeSuggestion
+  # SwiftPM's default package identity: the last path component of the
+  # repository URL, lowercased (the normalized URL already has no `.git`).
+  def self.identity(normalized_url)
+    normalized_url.to_s.split("/").last.to_s.downcase
+  end
+
+  # @param package [SpmPackageContext]
+  # @param available_version [#to_s] the version (or commit) being suggested
+  # @param type [Symbol] :version, :above_maximum, :branch, or :revision
+  # @return [Hash] package_identity / requirement_kind / suggested_command /
+  #   suggested_requirement, with inapplicable entries nil
+  def self.fields(package, available_version, type)
+    {
+      package_identity: identity(package.normalized_url),
+      requirement_kind: package.kind,
+      suggested_command: command(package),
+      suggested_requirement: requirement_change(package, available_version.to_s, type)
+    }
+  end
+
+  # `swift package update` only applies to Package.swift-managed dependencies
+  # (never Xcode projects, where source is nil) and cannot move a revision pin.
+  def self.command(package)
+    return nil unless package.source
+    return nil if package.kind == "revision"
+
+    "swift package update #{identity(package.normalized_url)}"
+  end
+
+  # The Package.swift requirement text needed before `swift package update` can
+  # reach the suggested version. In-range updates, branch pins, and revision
+  # pins need no manifest change.
+  def self.requirement_change(package, available, type)
+    return above_maximum_change(package, available) if type == :above_maximum
+
+    %(exact: "#{available}") if package.kind == "exactVersion"
+  end
+
+  def self.above_maximum_change(package, available)
+    case package.kind
+    when "exactVersion" then %(exact: "#{available}")
+    when "upToNextMajorVersion" then %(from: "#{available}")
+    when "upToNextMinorVersion" then %(.upToNextMinor(from: "#{available}"))
+    when "versionRange" then range_change(package.requirement, available)
+    end
+  end
+  private_class_method :above_maximum_change
+
+  def self.range_change(requirement, available)
+    major = available[/\A(\d+)/, 1]
+    %("#{requirement['minimumVersion']}"..<"#{major.to_i + 1}.0.0") if major
+  end
+  private_class_method :range_change
+end

data/lib/spm_version_updates/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SpmVersionUpdates
+  VERSION = "1.1.1"
+end

data/lib/spm_version_updates/version_tag_fetcher.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require_relative "git_operations"
+
+# Fetches git tag versions concurrently for cache-key/repository URL lookup pairs.
+class VersionTagFetcher
+  # Thread-safe result/error accumulator shared by fetcher workers.
+  FetchState = Struct.new(:mutex, :results, :errors, keyword_init: true) {
+    def self.build
+      new(mutex: Mutex.new, results: {}, errors: {})
+    end
+
+    def record_result(cache_key, versions)
+      mutex.synchronize { results[cache_key] = versions }
+    end
+
+    def record_error(cache_key, error)
+      mutex.synchronize { errors[cache_key] = error }
+    end
+  }
+  private_constant :FetchState
+
+  # Re-raises worker lookup failures as one combined git lookup error.
+  LookupErrors = Struct.new(:errors) {
+    def raise_error
+      first_error = errors.first
+
+      raise(combined_error(first_error), cause: first_error) if first_error.kind_of?(GitOperations::LsRemoteError)
+
+      raise(first_error)
+    end
+
+    private
+
+    def combined_error(first_error)
+      GitOperations::LsRemoteError.new(message).tap { |error| error.set_backtrace(first_error.backtrace) }
+    end
+
+    def message
+      errors.map(&:message).uniq.join("\n")
+    end
+  }
+  private_constant :LookupErrors
+
+  # Fetch all lookups, returning `[results, errors]`, both keyed by cache key.
+  #
+  # With `raise_on_error: true` (the default) any lookup failure is re-raised as
+  # one combined error after all workers finish; `errors` is then always empty.
+  # With `raise_on_error: false` failed lookups are returned in `errors` so the
+  # caller can degrade gracefully per package.
+  def self.call(lookups, worker_limit:, persistent_cache: nil, raise_on_error: true)
+    new(lookups, worker_limit, persistent_cache:, raise_on_error:).call
+  end
+
+  def initialize(lookups, worker_limit, persistent_cache: nil, raise_on_error: true)
+    @lookups = lookups
+    @worker_limit = worker_limit
+    @persistent_cache = persistent_cache
+    @raise_on_error = raise_on_error
+    @state = FetchState.build
+  end
+
+  def call
+    queue = build_queue
+    workers(queue).each(&:value)
+    errors = @state.errors
+    raise_lookup_error if @raise_on_error && !errors.empty?
+
+    [@state.results, errors]
+  end
+
+  private
+
+  def build_queue
+    Queue.new.tap { |queue| @lookups.each { |lookup| queue << lookup } }
+  end
+
+  def workers(queue)
+    Array.new(worker_count) { Thread.new { drain_queue(queue) } }
+  end
+
+  def worker_count
+    [@worker_limit, @lookups.size].min
+  end
+
+  def drain_queue(queue)
+    loop { fetch_lookup(queue) }
+  rescue ThreadError
+    nil
+  end
+
+  def fetch_lookup(queue)
+    cache_key, repository_url, persistent_cache_key = queue.pop(true)
+    @state.record_result(cache_key, versions_for(repository_url, persistent_cache_key))
+  rescue GitOperations::LsRemoteError => error
+    @state.record_error(cache_key, error)
+  end
+
+  def versions_for(repository_url, persistent_cache_key)
+    cached_versions = @persistent_cache&.read(persistent_cache_key)
+    return cached_versions if cached_versions
+
+    GitOperations.version_tags(repository_url)
+      .tap { |versions| @persistent_cache&.write(persistent_cache_key, versions) }
+  end
+
+  def raise_lookup_error
+    LookupErrors.new(@state.errors.values).raise_error
+  end
+end

data/lib/spm_version_updates/version_tags_persistent_cache.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "digest"
+require "fileutils"
+require "json"
+require "time"
+require_relative "credential_redactor"
+require_relative "semver"
+
+# Persistent on-disk cache for successful git tag lookups restored by actions/cache.
+class VersionTagsPersistentCache
+  DEFAULT_TTL_SECONDS = 21_600
+  SCHEMA_VERSION = 1
+
+  def self.cache_key(normalized_url, repository_url)
+    Digest::SHA256.hexdigest("#{normalized_url}\n#{CredentialRedactor.redact(repository_url)}")
+  end
+
+  def initialize(directory:, ttl_seconds:, clock: -> { Time.now.utc })
+    @directory = directory.to_s
+    @ttl_seconds = ttl_seconds.to_i
+    @clock = clock
+  end
+
+  def enabled?
+    !@directory.empty? && @ttl_seconds.positive?
+  end
+
+  def read(cache_key)
+    return nil unless enabled?
+
+    record = read_record(cache_key)
+    return nil unless fresh_record?(record)
+
+    versions_from(record)
+  end
+
+  def write(cache_key, versions)
+    return unless enabled?
+
+    write_record(cache_key, versions)
+  rescue StandardError => error
+    warn("Failed to write to persistent cache: #{error.message}")
+  end
+
+  private
+
+  def write_record(cache_key, versions)
+    temp = temp_path(cache_key)
+    FileUtils.mkdir_p(@directory)
+    File.write(temp, JSON.pretty_generate(record_for(versions)))
+    File.rename(temp, path_for(cache_key))
+  ensure
+    FileUtils.rm_f(temp) if temp
+  end
+
+  def read_record(cache_key)
+    JSON.parse(File.read(path_for(cache_key)))
+  rescue Errno::ENOENT, JSON::ParserError
+    nil
+  end
+
+  def fresh_record?(record)
+    return false unless record && record["schema_version"] == SCHEMA_VERSION
+
+    fetched_at = Time.iso8601(record.fetch("fetched_at"))
+    (@clock.call - fetched_at) <= @ttl_seconds
+  rescue StandardError
+    false
+  end
+
+  def versions_from(record)
+    Array(record["tags"]).filter_map { |tag|
+      begin
+        SpmVersionUpdates::Semver.new(tag)
+      rescue ArgumentError
+        nil
+      end
+    }
+      .sort
+      .reverse
+  end
+
+  def record_for(versions)
+    {
+      "schema_version" => SCHEMA_VERSION,
+      "fetched_at" => @clock.call.iso8601,
+      "tags" => versions.map(&:to_s)
+    }
+  end
+
+  def path_for(cache_key)
+    File.join(@directory, "#{cache_key}.json")
+  end
+
+  def temp_path(cache_key)
+    "#{path_for(cache_key)}.#{Process.pid}-#{Thread.current.object_id.abs}.tmp"
+  end
+end

data/lib/spm_version_updates/xcode_parser.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require_relative "git_operations"
+require_relative "package_resolved"
+require_relative "xcode_project_package_reader"
+
+# Xcode project and Package.resolved parsing (migrated from xcode.rb)
+module XcodeParser
+  # Find the configured SPM dependencies in the xcodeproj.
+  #
+  # Keyed by the normalized repository URL (used to match against
+  # `Package.resolved` pins and `ignore-repos`), while the original,
+  # scheme-bearing `repository_url` is retained for git operations.
+  #
+  # @param   [String] xcodeproj_path The path of the Xcode project
+  # @return [Hash<String, Hash>] normalized URL => { "repository_url", "requirement" }
+  def self.get_packages(xcodeproj_path)
+    raise(XcodeprojPathMustBeSet) if xcodeproj_path.nil? || xcodeproj_path.empty?
+
+    XcodeProjectPackageReader.package_references(xcodeproj_path).to_h { |package|
+      repository_url = package.repository_url
+      [
+        GitOperations.trim_repo_url(repository_url),
+        { "repository_url" => repository_url, "requirement" => package.requirement },
+      ]
+    }
+  end
+
+  # Extracts resolved versions from Package.resolved relative to an Xcode project.
+  # When a block is given, malformed resolved files are reported to it as
+  # `(resolved_path, error)` and skipped; without a block the error is raised.
+  # @param   [String] xcodeproj_path The path to your Xcode project
+  # @raise [CouldNotFindResolvedFile] if no Package.resolved files were found
+  # @raise [PackageResolved::MalformedFileError] if a resolved file is invalid JSON and no block is given
+  # @return [Hash<String, String>]
+  def self.get_resolved_versions(xcodeproj_path)
+    resolved_paths = find_packages_resolved_file(xcodeproj_path)
+    raise(CouldNotFindResolvedFile) if resolved_paths.empty?
+
+    resolved_paths.each_with_object({}) { |resolved_path, pins|
+      begin
+        pins.merge!(PackageResolved.versions_from(resolved_path))
+      rescue PackageResolved::MalformedFileError => error
+        raise unless block_given?
+
+        yield(resolved_path, error)
+      end
+    }
+  end
+
+  # Find the Packages.resolved file
+  # @return [Array<String>]
+  def self.find_packages_resolved_file(xcodeproj_path)
+    checked = XcodeProjectPackageReader.package_resolved_candidate_paths(xcodeproj_path)
+    locations = checked.select { |path| File.exist?(path) }
+
+    puts("Checked Package.resolved paths: #{checked}")
+    puts("Found Package.resolved paths: #{locations}")
+    locations
+  end
+
+  private_class_method :find_packages_resolved_file
+
+  # Raised when Xcode project mode is invoked without a project path.
+  class XcodeprojPathMustBeSet < StandardError
+  end
+
+  # Raised when an Xcode project does not have a Package.resolved file.
+  class CouldNotFindResolvedFile < StandardError
+  end
+end

data/lib/spm_version_updates/xcode_project_package_reader.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+autoload :Xcodeproj, "xcodeproj"
+
+# Reads Swift package references and adjacent Package.resolved locations for an
+# Xcode project without requiring Xcode to be installed.
+module XcodeProjectPackageReader
+  # Lightweight package reference read from either project objects or pbxproj data.
+  PackageReference = Struct.new(:repository_url, :requirement, keyword_init: true)
+
+  # Builds the lightweight pbxproj parser fallback error list without triggering autoloads.
+  module PbxprojFallbackErrors
+    def self.to_a
+      [
+        SystemCallError,
+        IOError,
+        loaded_nested_constant(:Xcodeproj, :Informative),
+        loaded_nested_constant(:Nanaimo, :Error),
+        loaded_nested_constant(:CFPropertyList, :CFPlistError),
+      ].compact
+    end
+
+    def self.loaded_nested_constant(parent_name, child_name)
+      parent = loaded_constant(Object, parent_name)
+      loaded_constant(parent, child_name) if parent
+    end
+
+    def self.loaded_constant(namespace, name)
+      return unless namespace.kind_of?(Module)
+      return if namespace.autoload?(name)
+      return unless namespace.const_defined?(name, false)
+
+      namespace.const_get(name, false)
+    end
+  end
+
+  private_constant :PackageReference, :PbxprojFallbackErrors
+
+  def self.package_references(xcodeproj_path)
+    package_references_from_pbxproj(xcodeproj_path) || package_references_from_project(xcodeproj_path)
+  end
+
+  def self.package_resolved_candidate_paths(xcodeproj_path)
+    [
+      workspace_resolved_path(xcodeproj_path),
+      File.join(xcodeproj_path, "project.xcworkspace", "xcshareddata", "swiftpm", "Package.resolved"),
+    ].compact
+  end
+
+  def self.package_references_from_pbxproj(xcodeproj_path)
+    read_existing_pbxproj(xcodeproj_path)
+  rescue *PbxprojFallbackErrors.to_a => error
+    warn(pbxproj_fallback_message(pbxproj_path_for(xcodeproj_path), error))
+    nil
+  end
+
+  def self.read_existing_pbxproj(xcodeproj_path)
+    pbxproj_path = existing_pbxproj_path(xcodeproj_path)
+    return unless pbxproj_path
+
+    package_references_from_pbxproj_objects(pbxproj_objects(pbxproj_path))
+  end
+
+  def self.existing_pbxproj_path(xcodeproj_path)
+    pbxproj_path = pbxproj_path_for(xcodeproj_path)
+    pbxproj_path if File.file?(pbxproj_path)
+  end
+
+  def self.pbxproj_fallback_message(pbxproj_path, error)
+    "WARNING: Could not read #{pbxproj_path} with the lightweight pbxproj parser " \
+      "(#{error.class}: #{error.message}); falling back to full Xcode project parsing."
+  end
+
+  def self.pbxproj_path_for(xcodeproj_path)
+    File.join(xcodeproj_path, "project.pbxproj")
+  end
+
+  def self.pbxproj_objects(pbxproj_path)
+    Xcodeproj::Plist.read_from_path(pbxproj_path).fetch("objects", {}).values
+  end
+
+  def self.package_references_from_pbxproj_objects(objects)
+    objects.filter_map { |object| package_reference_from_plist_object(object) }
+  end
+
+  def self.package_reference_from_plist_object(object)
+    return unless object["isa"] == "XCRemoteSwiftPackageReference"
+
+    repository_url = object["repositoryURL"]
+    return if repository_url.to_s.strip.empty?
+
+    PackageReference.new(repository_url:, requirement: object["requirement"])
+  end
+
+  def self.package_references_from_project(xcodeproj_path)
+    package_references_from_project_objects(Xcodeproj::Project.open(xcodeproj_path).objects)
+  end
+
+  def self.package_references_from_project_objects(objects)
+    objects.filter_map { |object| package_reference_from_project_object(object) }
+  end
+
+  def self.package_reference_from_project_object(object)
+    return unless object.kind_of?(Xcodeproj::Project::Object::XCRemoteSwiftPackageReference)
+
+    repository_url = object.repositoryURL
+    return if repository_url.to_s.strip.empty?
+
+    PackageReference.new(repository_url:, requirement: object.requirement)
+  end
+
+  def self.workspace_resolved_path(xcodeproj_path)
+    path = xcodeproj_path.to_s.sub(%r{/+\z}, "")
+    return unless path.end_with?(".xcodeproj")
+
+    workspace = path.sub(/\.xcodeproj\z/, ".xcworkspace")
+    File.join(workspace, "xcshareddata", "swiftpm", "Package.resolved")
+  end
+
+  private_class_method :package_references_from_pbxproj,
+                       :read_existing_pbxproj,
+                       :existing_pbxproj_path,
+                       :pbxproj_fallback_message,
+                       :pbxproj_path_for,
+                       :pbxproj_objects,
+                       :package_references_from_pbxproj_objects,
+                       :package_reference_from_plist_object,
+                       :package_references_from_project,
+                       :package_references_from_project_objects,
+                       :package_reference_from_project_object,
+                       :workspace_resolved_path
+end

data/lib/spm_version_updates.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "spm_version_updates/allow_host_normalizer"
+require_relative "spm_version_updates/credential_redactor"
+require_relative "spm_version_updates/fail_on_threshold"
+require_relative "spm_version_updates/git_host_normalizer"
+require_relative "spm_version_updates/git_operations"
+require_relative "spm_version_updates/manifest_parser"
+require_relative "spm_version_updates/package_resolved"
+require_relative "spm_version_updates/repository_link"
+require_relative "spm_version_updates/repository_update_rules"
+require_relative "spm_version_updates/semver"
+require_relative "spm_version_updates/spm_checker"
+require_relative "spm_version_updates/spm_package_context"
+require_relative "spm_version_updates/update_severity"
+require_relative "spm_version_updates/upgrade_suggestion"
+require_relative "spm_version_updates/version"
+require_relative "spm_version_updates/version_tag_fetcher"
+require_relative "spm_version_updates/version_tags_persistent_cache"
+require_relative "spm_version_updates/xcode_parser"
+require_relative "spm_version_updates/xcode_project_package_reader"

data/spm_version_updates.gemspec

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "spm_version_updates/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "spm_version_updates"
+  spec.version       = SpmVersionUpdates::VERSION
+  spec.authors       = ["Harold Martin"]
+  spec.email         = ["harold.martin@gmail.com"]
+  spec.description   = "Detect available updates to Swift Package Manager dependencies " \
+                       "from Package.swift manifests or Xcode projects."
+  spec.summary       = "Core library for checking Swift Package Manager dependency updates."
+  spec.homepage      = "https://github.com/hbmartin/github-action-spm_version_updates"
+  spec.license       = "MIT"
+  spec.required_ruby_version = ">= 3.2"
+
+  release_paths = [
+    "LICENSE.txt",
+    "README.md",
+    "spm_version_updates.gemspec",
+  ]
+  spec.files = begin
+    git_files = begin
+      IO.popen(
+        ["git", "-C", __dir__, "ls-files", "-z", "lib", *release_paths],
+        err: File::NULL,
+        &:read
+      )
+        .split("\x0")
+        .reject(&:empty?)
+    rescue Errno::ENOENT
+      []
+    end
+    fallback_files = Dir.glob(["lib/**/*", *release_paths], base: __dir__)
+      .select { |path| File.file?(File.join(__dir__, path)) }
+    (git_files.empty? ? fallback_files : git_files).sort
+  end
+  spec.require_paths = ["lib"]
+  spec.metadata["rubygems_mfa_required"] = "true"
+
+  spec.add_runtime_dependency("semverify", "~> 0.3")
+  # Xcode-project mode additionally requires the "xcodeproj" gem (loaded
+  # lazily); manifest mode works without it.
+end

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: spm_version_updates
+version: !ruby/object:Gem::Version
+  version: 1.1.1
+platform: ruby
+authors:
+- Harold Martin
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: semverify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+description: Detect available updates to Swift Package Manager dependencies from Package.swift
+  manifests or Xcode projects.
+email:
+- harold.martin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/spm_version_updates.rb
+- lib/spm_version_updates/allow_host_normalizer.rb
+- lib/spm_version_updates/credential_redactor.rb
+- lib/spm_version_updates/fail_on_threshold.rb
+- lib/spm_version_updates/git_host_normalizer.rb
+- lib/spm_version_updates/git_operations.rb
+- lib/spm_version_updates/manifest_parser.rb
+- lib/spm_version_updates/package_resolved.rb
+- lib/spm_version_updates/repository_link.rb
+- lib/spm_version_updates/repository_update_rules.rb
+- lib/spm_version_updates/semver.rb
+- lib/spm_version_updates/spm_checker.rb
+- lib/spm_version_updates/spm_package_context.rb
+- lib/spm_version_updates/update_severity.rb
+- lib/spm_version_updates/upgrade_suggestion.rb
+- lib/spm_version_updates/version.rb
+- lib/spm_version_updates/version_tag_fetcher.rb
+- lib/spm_version_updates/version_tags_persistent_cache.rb
+- lib/spm_version_updates/xcode_parser.rb
+- lib/spm_version_updates/xcode_project_package_reader.rb
+- spm_version_updates.gemspec
+homepage: https://github.com/hbmartin/github-action-spm_version_updates
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.10
+specification_version: 4
+summary: Core library for checking Swift Package Manager dependency updates.
+test_files: []