npm - @paklo/runner - Versions diffs - 0.1.0 - Mend

@paklo/runner 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/LICENSE +21 -0
package/dist/index.d.ts +167 -0
package/dist/index.js +49 -0
package/dist/index.js.map +1 -0
package/dist/job-runner-BUl_fCJS.js +770 -0
package/dist/job-runner-BUl_fCJS.js.map +1 -0
package/dist/local/azure.d.ts +53 -0
package/dist/local/azure.js +424 -0
package/dist/local/azure.js.map +1 -0
package/dist/local/index.d.ts +2 -0
package/dist/local/index.js +4 -0
package/dist/logger-Bekleunx.js +3 -0
package/dist/server-Dcc7bD60.js +203 -0
package/dist/server-Dcc7bD60.js.map +1 -0
package/dist/server-Ri18zAcc.d.ts +229 -0
package/package.json +66 -0

package/dist/job-runner-BUl_fCJS.js ADDED Viewed

@@ -0,0 +1,770 @@
+import { t as logger } from "./logger-Bekleunx.js";
+import { DependabotCredentialSchema, DependabotJobConfigSchema } from "@paklo/core/dependabot";
+import { HEADER_NAME_AUTHORIZATION, HttpRequestError, InnerApiClient, isErrorTemporaryFailure } from "@paklo/core/http";
+import Docker from "dockerode";
+import { pack } from "tar-stream";
+import stream, { Readable } from "node:stream";
+import crypto from "node:crypto";
+import os from "node:os";
+import { readFile } from "node:fs/promises";
+//#region src/api-client.ts
+var JobDetailsFetchingError = class extends Error {};
+var CredentialFetchingError = class extends Error {};
+var ApiClient = class {
+	jobToken;
+	constructor(client, params, jobToken, credentialsToken, secretMasker) {
+		this.client = client;
+		this.params = params;
+		this.credentialsToken = credentialsToken;
+		this.secretMasker = secretMasker;
+		this.jobToken = jobToken;
+	}
+	UnknownSha = { "base-commit-sha": "unknown" };
+	getJobToken() {
+		return this.jobToken;
+	}
+	async getJobDetails() {
+		try {
+			const res = await this.getWithRetry(`/update_jobs/${this.params.jobId}/details`, this.jobToken, { schema: DependabotJobConfigSchema });
+			if (res.status !== 200) throw new JobDetailsFetchingError(`fetching job details: unexpected status code: ${res.status}: ${JSON.stringify(res.error)}`);
+			if (!res.data) throw new JobDetailsFetchingError(`fetching job details: missing response`);
+			return res.data;
+		} catch (error) {
+			if (error instanceof JobDetailsFetchingError) throw error;
+			else if (error instanceof HttpRequestError) throw new JobDetailsFetchingError(`fetching job details: unexpected status code: ${error.code}: ${error.message}`);
+			else if (error instanceof Error) throw new JobDetailsFetchingError(`fetching job details: ${error.name}: ${error.message}`);
+			throw error;
+		}
+	}
+	async getCredentials() {
+		try {
+			const res = await this.getWithRetry(`/update_jobs/${this.params.jobId}/credentials`, this.credentialsToken, { schema: DependabotCredentialSchema.array() });
+			if (res.status !== 200) throw new CredentialFetchingError(`fetching credentials: unexpected status code: ${res.status}: ${JSON.stringify(res.error)}`);
+			if (!res.data) throw new CredentialFetchingError(`fetching credentials: missing response`);
+			for (const credential of res.data) {
+				if (credential.password) this.secretMasker(credential.password);
+				if (credential.token) this.secretMasker(credential.token);
+				if (credential["auth-key"]) this.secretMasker(credential["auth-key"]);
+			}
+			return res.data;
+		} catch (error) {
+			if (error instanceof CredentialFetchingError) throw error;
+			else if (error instanceof HttpRequestError) throw new CredentialFetchingError(`fetching credentials: unexpected status code: ${error.code}: ${error.message}`);
+			else if (error instanceof Error) throw new CredentialFetchingError(`fetching credentials: ${error.name}: ${error.message}`);
+			throw error;
+		}
+	}
+	async reportJobError(error) {
+		const res = await this.client.post(`/update_jobs/${this.params.jobId}/record_update_job_error`, {
+			payload: error,
+			headers: { [HEADER_NAME_AUTHORIZATION]: this.jobToken }
+		});
+		if (res.status !== 204) throw new Error(`Unexpected status code: ${res.status}`);
+	}
+	async markJobAsProcessed() {
+		const res = await this.client.patch(`/update_jobs/${this.params.jobId}/mark_as_processed`, {
+			payload: this.UnknownSha,
+			headers: { [HEADER_NAME_AUTHORIZATION]: this.jobToken }
+		});
+		if (res.status !== 204) throw new Error(`Unexpected status code: ${res.status}`);
+	}
+	async sendMetrics(name, metricType, value, additionalTags = {}) {
+		try {
+			await this.reportMetrics([{
+				metric: `dependabot.action.${name}`,
+				type: metricType,
+				value,
+				tags: additionalTags
+			}]);
+			logger.info(`Successfully sent metric (dependabot.action.${name}) to remote API endpoint`);
+		} catch (error) {
+			logger.warn(`Metrics reporting failed: ${error.message}`);
+		}
+	}
+	async reportMetrics(metrics) {
+		const res = await this.client.post(`/update_jobs/${this.params.jobId}/record_metrics`, {
+			payload: { data: metrics },
+			headers: { [HEADER_NAME_AUTHORIZATION]: this.jobToken }
+		});
+		if (res.status !== 204) throw new Error(`Unexpected status code: ${res.status}`);
+	}
+	async getWithRetry(url, token, options) {
+		let attempt = 1;
+		const delayMs = 1e3 * 2 ** attempt;
+		const execute = async () => {
+			try {
+				const res = await this.client.get(url, {
+					headers: { Authorization: token },
+					...options
+				});
+				const { status, statusText } = res;
+				if (status < 200 || status > 299) throw new HttpRequestError(`HTTP GET '${url}' failed: ${status} ${statusText}`, status);
+				return res;
+			} catch (e) {
+				const error = e;
+				if (isErrorTemporaryFailure(error)) {
+					if (attempt >= 3) throw error;
+					logger.warn(`Retrying failed request in ${delayMs}ms...`);
+					await new Promise((resolve) => setTimeout(resolve, delayMs));
+					attempt++;
+					return execute();
+				}
+				throw error;
+			}
+		};
+		return execute();
+	}
+};
+//#endregion
+//#region ../../dependabot-action/docker/containers.json
+var proxy = "ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20251015175503@sha256:d40c689e947e78ecdaccb3da1d070a458b7f1d1cfb3052cf5751e43583d89560";
+var containers_default = {
+	proxy,
+	bundler: "ghcr.io/dependabot/dependabot-updater-bundler:v2.0.20250916161401@sha256:cb1b48a4e2862bd9a2ebb1bb7f2eb1b28bd0099060925951618e07a96c191e5c",
+	cargo: "ghcr.io/dependabot/dependabot-updater-cargo:v2.0.20250916161401@sha256:dc8823384d8fd864f8b7867b553df3489b658b236e9bbfad49606c819d9bc450",
+	composer: "ghcr.io/dependabot/dependabot-updater-composer:v2.0.20250916161401@sha256:9d9304ed225f1ed0614d55d1c10398c93476cff6e295bb912816ed323d5ad0d0",
+	pub: "ghcr.io/dependabot/dependabot-updater-pub:v2.0.20250916161401@sha256:2955d6f1d77cc9ca12cf8e2fa5c919b3d5a79c403a2aad94550f2955e233a0c4",
+	docker: "ghcr.io/dependabot/dependabot-updater-docker:v2.0.20250916161401@sha256:411a5eb299308037ec396b51b0ecdb7f4ee3deeeb392202becc1a333a6dbab25",
+	elm: "ghcr.io/dependabot/dependabot-updater-elm:v2.0.20250916161401@sha256:67924991be2870fc9cf26bcb031146a46e4b9812173000b4e45acdb929fd0085",
+	github_actions: "ghcr.io/dependabot/dependabot-updater-github-actions:v2.0.20250916161401@sha256:675a96888497d8b47328ede0f2163722a90b901c7116e719830573c64b8c2465",
+	submodules: "ghcr.io/dependabot/dependabot-updater-gitsubmodule:v2.0.20250916161401@sha256:deae36a972cfc284dde6e8b6a923dbb81bc794b8c8a67ea652dcf7e71caab710",
+	go_modules: "ghcr.io/dependabot/dependabot-updater-gomod:v2.0.20250916161401@sha256:21bbf01be40bd53ccc6efd137aa309a1b895dcfab4eb62d85611d94806db8b58",
+	gradle: "ghcr.io/dependabot/dependabot-updater-gradle:v2.0.20250916161401@sha256:7482ff1cb4cf222a2a96741c8c506609eedc93f0e4cd7c38fe73e4a804413134",
+	maven: "ghcr.io/dependabot/dependabot-updater-maven:v2.0.20250916161401@sha256:b444c349e9ae8ec3bec9eef411ea830e8fa168c9ee0397e8c86eb140ea933167",
+	hex: "ghcr.io/dependabot/dependabot-updater-mix:v2.0.20250916161401@sha256:32b74d14082a0b89c9d8bcdde92a3d2b18f5798b6d9bcf2080855373c3f45c1f",
+	nuget: "ghcr.io/dependabot/dependabot-updater-nuget:v2.0.20250916161401@sha256:9fb516772dffa7a014c20a8dde909ccb25a323d7039a58346401a4500ce64657",
+	npm_and_yarn: "ghcr.io/dependabot/dependabot-updater-npm:v2.0.20250916161401@sha256:7d13ce84d26210659dbb5fd4b9c0d72b34786ca02063737cba5d228ad55af273",
+	pip: "ghcr.io/dependabot/dependabot-updater-pip:v2.0.20250916161401@sha256:a05999d53df5ea7141aafde806bd7e1a25dc23087528aea0b482a86363956937",
+	rust_toolchain: "ghcr.io/dependabot/dependabot-updater-rust-toolchain:v2.0.20250916161401@sha256:1688181ea18f1736ff80e6fe9bb17de3508b3ea890c20493e82cd9a68f6a5387",
+	swift: "ghcr.io/dependabot/dependabot-updater-swift:v2.0.20250916161401@sha256:622971aba7877711401d021bc0ecfeb98cbd39767b0c45dcf150b86536968743",
+	terraform: "ghcr.io/dependabot/dependabot-updater-terraform:v2.0.20250916161401@sha256:82c7cef04f54a20a6c47426f9ff48b7767757e715db5fa0a1b0357ced50bbf6c",
+	devcontainers: "ghcr.io/dependabot/dependabot-updater-devcontainers:v2.0.20250916161401@sha256:5691a9bec5b9c91879318323ed53d22d7c73c540376bb2e0d74704e9651e9897",
+	dotnet_sdk: "ghcr.io/dependabot/dependabot-updater-dotnet-sdk:v2.0.20250916161401@sha256:10febb67dbcdf4e50985412d65e1fd4a364f7402e184cfcd67b63d295a6c4e80",
+	bun: "ghcr.io/dependabot/dependabot-updater-bun:v2.0.20250915234339@sha256:fba1acd818ca0101f71ba34f04c8b7c36abf8e63de5feb05037b42f6406950fa",
+	docker_compose: "ghcr.io/dependabot/dependabot-updater-docker-compose:v2.0.20250916161401@sha256:a0fc653bedf0e600d85a3f7bc0eee7ec7bee99f6875d4faf6e30e2c69ea36dbe",
+	uv: "ghcr.io/dependabot/dependabot-updater-uv:v2.0.20250916161401@sha256:441fe91d1ed3ba9c148abe5dc3a3d83f12805326da5c037d76b86695c247c1cb",
+	vcpkg: "ghcr.io/dependabot/dependabot-updater-vcpkg:v2.0.20250916161401@sha256:40355d74ad784932730577475faee9f21ef863c3cec7b7d2817cc5621f3b1dd7",
+	helm: "ghcr.io/dependabot/dependabot-updater-helm:v2.0.20250916161401@sha256:42fe3e7a6bac84271dec7ec41ac0067ff7d1cffb8e5f63dbe5eec849b5bc433b"
+};
+//#endregion
+//#region src/docker-tags.ts
+const PROXY_IMAGE_NAME = proxy;
+function updaterImageName(packageManager) {
+	return containers_default[packageManager];
+}
+const updaterRegex = /ghcr.io\/dependabot\/dependabot-updater-([\w+])/;
+function updaterImages() {
+	return Object.values(containers_default).filter((image) => image.match(updaterRegex));
+}
+const imageNamePattern = "^(?<repository>(([a-zA-Z0-9._-]+([:[0-9]+[^/]))?([a-zA-Z0-9._/-]+)?))(:[a-zA-Z0-9._/-]+)?(?<digest>@sha256:[a-zA-Z0-9]{64})?$";
+function repositoryName(imageName) {
+	const match = imageName.match(imageNamePattern);
+	if (match?.groups) return match.groups.repository;
+	else throw Error("invalid image name");
+}
+function hasDigest(imageName) {
+	const match = imageName.match(imageNamePattern);
+	if (match?.groups) {
+		if (match?.groups.digest) return true;
+		return false;
+	} else throw Error("invalid image name");
+}
+function digestName(imageName) {
+	const match = imageName.match(imageNamePattern);
+	if (match?.groups) return match.groups.repository + match.groups.digest;
+	else throw Error("invalid image name");
+}
+//#endregion
+//#region src/utils.ts
+const outStream = (prefix) => {
+	return new stream.Writable({ write(chunk, _, next) {
+		process.stderr.write(`${prefix} | ${chunk.toString()}`);
+		next();
+	} });
+};
+const errStream = (prefix) => {
+	return new stream.Writable({ write(chunk, _, next) {
+		process.stderr.write(`${prefix} | ${chunk.toString()}`);
+		next();
+	} });
+};
+//#endregion
+//#region src/container-service.ts
+var ContainerRuntimeError = class extends Error {};
+const RWX_ALL = 511;
+const ContainerService = {
+	async storeInput(name, path, container, input) {
+		const tar = pack();
+		tar.entry({
+			name,
+			mode: RWX_ALL
+		}, JSON.stringify(input));
+		tar.finalize();
+		await container.putArchive(tar, { path });
+	},
+	async storeCert(name, path, container, cert) {
+		const tar = pack();
+		tar.entry({ name }, cert);
+		tar.finalize();
+		await container.putArchive(tar, { path });
+	},
+	async run(container, command) {
+		try {
+			await container.start();
+			logger.info(`Started container ${container.id}`);
+			if ((await container.inspect()).Config?.Env?.some((env) => env.startsWith("DEPENDABOT_JOB_ID="))) {
+				await this.execCommand(container, ["/usr/sbin/update-ca-certificates"], "root");
+				const dependabotCommands = ["mkdir -p /home/dependabot/dependabot-updater/output", "$DEPENDABOT_HOME/dependabot-updater/bin/run fetch_files"];
+				if (command === "graph") dependabotCommands.push("$DEPENDABOT_HOME/dependabot-updater/bin/run update_graph");
+				else dependabotCommands.push("$DEPENDABOT_HOME/dependabot-updater/bin/run update_files");
+				for (const cmd of dependabotCommands) await this.execCommand(container, [
+					"/bin/sh",
+					"-c",
+					cmd
+				], "dependabot");
+			} else {
+				const outcome = await container.wait();
+				if (outcome.StatusCode !== 0) throw new Error(`Container exited with code ${outcome.StatusCode}`);
+			}
+			return true;
+		} catch (error) {
+			logger.info(`Failure running container ${container.id}: ${error}`);
+			throw new ContainerRuntimeError("The updater encountered one or more errors.");
+		} finally {
+			try {
+				await container.remove({
+					v: true,
+					force: true
+				});
+				logger.info(`Cleaned up container ${container.id}`);
+			} catch (error) {
+				logger.info(`Failed to clean up container ${container.id}: ${error}`);
+			}
+		}
+	},
+	async execCommand(container, cmd, user) {
+		const exec = await container.exec({
+			Cmd: cmd,
+			User: user,
+			AttachStdout: true,
+			AttachStderr: true
+		});
+		const stream$1 = await exec.start({});
+		await new Promise((resolve, reject) => {
+			container.modem.demuxStream(stream$1, outStream("updater"), errStream("updater"));
+			stream$1.on("end", () => {
+				resolve();
+			});
+			stream$1.on("error", (error) => {
+				reject(error);
+			});
+		});
+		await new Promise((resolve) => setTimeout(resolve, 100));
+		const inspection = await exec.inspect();
+		if (inspection.ExitCode !== 0) throw new Error(`Command failed with exit code ${inspection.ExitCode}: ${cmd.join(" ")}`);
+	}
+};
+//#endregion
+//#region src/image-service.ts
+const MAX_RETRIES = 5;
+const INITIAL_DELAY_MS = 2e3;
+const sleep = async (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+const endOfStream = async (docker$1, stream$1) => {
+	return new Promise((resolve, reject) => {
+		docker$1.modem.followProgress(stream$1, (err) => err ? reject(err) : resolve(void 0));
+	});
+};
+function getOrgFromImage(imageName) {
+	const parts = imageName.split("/");
+	if (parts.length >= 3 && parts[0] === "ghcr.io") return parts[1];
+	return "unknown";
+}
+/** Fetch the configured updater image, if it isn't already available. */
+const ImageService = {
+	async pull(imageName, sendMetric, force = false) {
+		if (!(imageName.startsWith("ghcr.io/") || imageName.startsWith("docker.pkg.github.com/"))) throw new Error("Only images distributed via docker.pkg.github.com or ghcr.io can be fetched");
+		const docker$1 = new Docker();
+		const org = getOrgFromImage(imageName);
+		try {
+			const image = await docker$1.getImage(imageName).inspect();
+			if (!force) {
+				logger.info(`Resolved ${imageName} to existing ${image.RepoDigests}`);
+				return;
+			}
+		} catch (e) {
+			if (e instanceof Error && !e.message.includes("no such image")) throw e;
+		}
+		await this.fetchImageWithRetry(imageName, {}, docker$1, sendMetric, org);
+	},
+	async fetchImageWithRetry(imageName, auth = {}, docker$1 = new Docker(), sendMetric, org) {
+		let attempt = 0;
+		while (attempt < MAX_RETRIES) try {
+			logger.info(`Pulling image ${imageName} (attempt ${attempt + 1})...`);
+			if (sendMetric) await sendMetric("ghcr_image_pull", "increment", 1, { org });
+			const stream$1 = await docker$1.pull(imageName, { authconfig: auth });
+			await endOfStream(docker$1, new Readable().wrap(stream$1));
+			logger.info(`Pulled image ${imageName}`);
+			return;
+		} catch (error) {
+			if (!(error instanceof Error)) throw error;
+			if (error.message.includes("429 Too Many Requests") || error.message.toLowerCase().includes("too many requests")) {
+				attempt++;
+				if (attempt >= MAX_RETRIES) {
+					logger.error(`Failed to pull image ${imageName} after ${MAX_RETRIES} attempts.`);
+					throw error;
+				}
+				const baseDelay = INITIAL_DELAY_MS * Math.pow(2, attempt);
+				const jitter = Math.random() * baseDelay;
+				const delay = baseDelay / 2 + jitter;
+				logger.warn(`Received Too Many Requests error. Retrying in ${(delay / 1e3).toFixed(2)} seconds...`);
+				await sleep(delay);
+			} else {
+				logger.error(`Fatal error pulling image ${imageName}: ${error.message}`);
+				throw error;
+			}
+		}
+	}
+};
+//#endregion
+//#region package.json
+var version = "0.1.0";
+//#endregion
+//#region src/params.ts
+var JobParameters = class {
+	constructor(jobId, jobToken, credentialsToken, dependabotApiUrl, dependabotApiDockerUrl, updaterImage) {
+		this.jobId = jobId;
+		this.jobToken = jobToken;
+		this.credentialsToken = credentialsToken;
+		this.dependabotApiUrl = dependabotApiUrl;
+		this.dependabotApiDockerUrl = dependabotApiDockerUrl;
+		this.updaterImage = updaterImage;
+	}
+};
+function getJobParameters(input) {
+	return new JobParameters(parseInt(input.jobId, 10), input.jobToken, input.credentialsToken, input.dependabotApiUrl, input.dependabotApiDockerUrl, input.updaterImage);
+}
+//#endregion
+//#region src/proxy.ts
+const KEY_SIZE = 2048;
+const KEY_EXPIRY_YEARS = 2;
+const CONFIG_FILE_PATH = "/";
+const CONFIG_FILE_NAME = "config.json";
+const CA_CERT_INPUT_PATH$1 = "/usr/local/share/ca-certificates";
+const CUSTOM_CA_CERT_NAME = "custom-ca-cert.crt";
+const CERT_SUBJECT = [
+	{
+		name: "commonName",
+		value: "Dependabot Internal CA"
+	},
+	{
+		name: "organizationName",
+		value: "GitHub Inc."
+	},
+	{
+		shortName: "OU",
+		value: "Dependabot"
+	},
+	{
+		name: "countryName",
+		value: "US"
+	},
+	{
+		shortName: "ST",
+		value: "California"
+	},
+	{
+		name: "localityName",
+		value: "San Francisco"
+	}
+];
+var ProxyBuilder = class {
+	constructor(docker$1, proxyImage, cachedMode) {
+		this.docker = docker$1;
+		this.proxyImage = proxyImage;
+		this.cachedMode = cachedMode;
+	}
+	async run(jobId, jobToken, dependabotApiUrl, credentials) {
+		const name = `dependabot-job-${jobId}-proxy`;
+		const config = await this.buildProxyConfig(credentials);
+		const cert = config.ca.cert;
+		const externalNetworkName = `dependabot-job-${jobId}-external-network`;
+		const externalNetwork = await this.ensureNetwork(externalNetworkName, false);
+		const internalNetworkName = `dependabot-job-${jobId}-internal-network`;
+		const internalNetwork = await this.ensureNetwork(internalNetworkName, true);
+		const container = await this.createContainer(jobId, jobToken, dependabotApiUrl, name, externalNetwork, internalNetwork, internalNetworkName);
+		await ContainerService.storeInput(CONFIG_FILE_NAME, CONFIG_FILE_PATH, container, config);
+		const customCAPath = this.customCAPath();
+		if (customCAPath) {
+			logger.info("Detected custom CA certificate, adding to proxy");
+			const customCert = (await readFile(customCAPath, "utf8")).toString();
+			await ContainerService.storeCert(CUSTOM_CA_CERT_NAME, CA_CERT_INPUT_PATH$1, container, customCert);
+		}
+		const stream$1 = await container.attach({
+			stream: true,
+			stdout: true,
+			stderr: true
+		});
+		container.modem.demuxStream(stream$1, outStream("  proxy"), errStream("  proxy"));
+		const url = async () => {
+			const containerInfo = await container.inspect();
+			if (containerInfo.State.Running === true) return `http://${containerInfo.NetworkSettings.Networks[`${internalNetworkName}`].IPAddress}:1080`;
+			else throw new Error("proxy container isn't running");
+		};
+		return {
+			container,
+			network: internalNetwork,
+			networkName: internalNetworkName,
+			url,
+			cert,
+			shutdown: async () => {
+				await container.stop();
+				await container.remove();
+				await Promise.all([externalNetwork.remove(), internalNetwork.remove()]);
+			}
+		};
+	}
+	async ensureNetwork(name, internal = true) {
+		const networks = await this.docker.listNetworks({ filters: JSON.stringify({ name: [name] }) });
+		if (networks.length > 0) return this.docker.getNetwork(networks[0].Id);
+		else return await this.docker.createNetwork({
+			Name: name,
+			Internal: internal
+		});
+	}
+	async buildProxyConfig(credentials) {
+		return {
+			all_credentials: credentials,
+			ca: await this.generateCertificateAuthority()
+		};
+	}
+	async generateCertificateAuthority() {
+		const { default: { md, pki } } = await import("node-forge");
+		const keys = pki.rsa.generateKeyPair(KEY_SIZE);
+		const cert = pki.createCertificate();
+		cert.publicKey = keys.publicKey;
+		cert.serialNumber = "01";
+		cert.validity.notBefore = /* @__PURE__ */ new Date();
+		cert.validity.notAfter = /* @__PURE__ */ new Date();
+		cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + KEY_EXPIRY_YEARS);
+		cert.setSubject(CERT_SUBJECT);
+		cert.setIssuer(CERT_SUBJECT);
+		cert.setExtensions([
+			{
+				name: "basicConstraints",
+				cA: true,
+				critical: true
+			},
+			{
+				name: "keyUsage",
+				digitalSignature: true,
+				keyEncipherment: true,
+				keyCertSign: true,
+				cRLSign: true,
+				critical: true
+			},
+			{
+				name: "extKeyUsage",
+				serverAuth: true,
+				clientAuth: true
+			},
+			{ name: "subjectKeyIdentifier" },
+			{
+				name: "authorityKeyIdentifier",
+				keyIdentifier: true,
+				authorityCertIssuer: true,
+				authorityCertSerialNumber: cert.serialNumber
+			}
+		]);
+		cert.sign(keys.privateKey, md.sha256.create());
+		return {
+			cert: pki.certificateToPem(cert),
+			key: pki.privateKeyToPem(keys.privateKey)
+		};
+	}
+	async createContainer(jobId, jobToken, dependabotApiUrl, containerName, externalNetwork, internalNetwork, internalNetworkName) {
+		const container = await this.docker.createContainer({
+			Image: this.proxyImage,
+			name: containerName,
+			AttachStdout: true,
+			AttachStderr: true,
+			Env: [
+				`http_proxy=${process.env.http_proxy || process.env.HTTP_PROXY || ""}`,
+				`https_proxy=${process.env.https_proxy || process.env.HTTPS_PROXY || ""}`,
+				`no_proxy=${process.env.no_proxy || process.env.NO_PROXY || ""}`,
+				`JOB_ID=${jobId}`,
+				`JOB_TOKEN=${jobToken}`,
+				`PROXY_CACHE=${this.cachedMode ? "true" : "false"}`,
+				`DEPENDABOT_API_URL=${dependabotApiUrl}`,
+				`ACTIONS_ID_TOKEN_REQUEST_TOKEN=${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN || ""}`,
+				`ACTIONS_ID_TOKEN_REQUEST_URL=${process.env.ACTIONS_ID_TOKEN_REQUEST_URL || ""}`
+			],
+			Entrypoint: [
+				"sh",
+				"-c",
+				"/usr/sbin/update-ca-certificates && /update-job-proxy"
+			],
+			HostConfig: {
+				NetworkMode: internalNetworkName,
+				ExtraHosts: ["host.docker.internal:host-gateway"]
+			}
+		});
+		await externalNetwork.connect({ Container: container.id });
+		logger.info(`Created proxy container: ${container.id}`);
+		return container;
+	}
+	customCAPath() {
+		if ("CUSTOM_CA_PATH" in process.env) return process.env.CUSTOM_CA_PATH;
+		return process.env.NODE_EXTRA_CA_CERTS;
+	}
+};
+//#endregion
+//#region src/updater-builder.ts
+const JOB_OUTPUT_FILENAME = "output.json";
+const JOB_OUTPUT_PATH = "/home/dependabot/dependabot-updater/output";
+const JOB_INPUT_FILENAME = "job.json";
+const JOB_INPUT_PATH = `/home/dependabot/dependabot-updater`;
+const REPO_CONTENTS_PATH = "/home/dependabot/dependabot-updater/repo";
+const CA_CERT_INPUT_PATH = "/usr/local/share/ca-certificates";
+const CA_CERT_FILENAME = "dbot-ca.crt";
+const UPDATER_MAX_MEMORY = 8 * 1024 * 1024 * 1024;
+var UpdaterBuilder = class {
+	constructor(docker$1, jobParams, input, proxy$1, updaterImage) {
+		this.docker = docker$1;
+		this.jobParams = jobParams;
+		this.input = input;
+		this.proxy = proxy$1;
+		this.updaterImage = updaterImage;
+	}
+	async run(containerName) {
+		const proxyUrl = await this.proxy.url();
+		const container = await this.docker.createContainer({
+			Image: this.updaterImage,
+			name: containerName,
+			AttachStdout: true,
+			AttachStderr: true,
+			User: "dependabot",
+			Env: [
+				`GITHUB_ACTIONS=${process.env.GITHUB_ACTIONS}`,
+				`DEPENDABOT_JOB_ID=${this.jobParams.jobId}`,
+				`DEPENDABOT_JOB_TOKEN=`,
+				`DEPENDABOT_JOB_PATH=${JOB_INPUT_PATH}/${JOB_INPUT_FILENAME}`,
+				`DEPENDABOT_OPEN_TIMEOUT_IN_SECONDS=15`,
+				`DEPENDABOT_OUTPUT_PATH=${JOB_OUTPUT_PATH}/${JOB_OUTPUT_FILENAME}`,
+				`DEPENDABOT_REPO_CONTENTS_PATH=${REPO_CONTENTS_PATH}`,
+				`DEPENDABOT_API_URL=${this.jobParams.dependabotApiDockerUrl}`,
+				`SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt`,
+				`http_proxy=${proxyUrl}`,
+				`HTTP_PROXY=${proxyUrl}`,
+				`https_proxy=${proxyUrl}`,
+				`HTTPS_PROXY=${proxyUrl}`,
+				`UPDATER_ONE_CONTAINER=1`,
+				`ENABLE_CONNECTIVITY_CHECK=${process.env.DEPENDABOT_ENABLE_CONNECTIVITY_CHECK || "1"}`,
+				...process.platform === "darwin" ? [`DOTNET_EnableWriteXorExecute=0`] : []
+			],
+			Cmd: ["/bin/sh"],
+			Tty: true,
+			HostConfig: {
+				Memory: UPDATER_MAX_MEMORY,
+				NetworkMode: this.proxy.networkName
+			}
+		});
+		await ContainerService.storeCert(CA_CERT_FILENAME, CA_CERT_INPUT_PATH, container, this.proxy.cert);
+		await ContainerService.storeInput(JOB_INPUT_FILENAME, JOB_INPUT_PATH, container, this.input);
+		logger.info(`Created container: ${container.id}`);
+		return container;
+	}
+};
+//#endregion
+//#region src/updater.ts
+var Updater = class {
+	docker;
+	constructor(updaterImage, proxyImage, params, job, credentials) {
+		this.updaterImage = updaterImage;
+		this.proxyImage = proxyImage;
+		this.params = params;
+		this.job = job;
+		this.credentials = credentials;
+		this.docker = new Docker();
+		this.job["credentials-metadata"] = this.generateCredentialsMetadata();
+	}
+	/**
+	* Execute an update job and report the result to Dependabot API.
+	*/
+	async runUpdater() {
+		const cachedMode = Object.hasOwn(this.job.experiments, "proxy-cached") === true;
+		const proxy$1 = await new ProxyBuilder(this.docker, this.proxyImage, cachedMode).run(this.params.jobId, this.params.jobToken, this.params.dependabotApiUrl, this.credentials);
+		await proxy$1.container.start();
+		try {
+			await this.runUpdate(proxy$1);
+			return true;
+		} finally {
+			await this.cleanup(proxy$1);
+		}
+	}
+	generateCredentialsMetadata() {
+		const unique = /* @__PURE__ */ new Set();
+		const result = [];
+		for (const credential of this.credentials) {
+			if (credential.type === "jit_access") continue;
+			const obj = { type: credential.type };
+			if (credential.host !== void 0) obj.host = credential.host;
+			if (credential.registry !== void 0) obj.registry = credential.registry;
+			if (credential.url !== void 0) obj.url = credential.url;
+			this.setRegistryFromUrl(obj, credential);
+			if (credential["index-url"] !== void 0) obj["index-url"] = credential["index-url"];
+			this.setIndexUrlFromUrl(obj, credential);
+			if (credential["env-key"] !== void 0) obj["env-key"] = credential["env-key"];
+			if (credential.organization !== void 0) obj.organization = credential.organization;
+			if (credential["replaces-base"] !== void 0) obj["replaces-base"] = credential["replaces-base"];
+			if (credential["public-key-fingerprint"] !== void 0) obj["public-key-fingerprint"] = credential["public-key-fingerprint"];
+			if (credential.repo !== void 0) obj.repo = credential.repo;
+			const key = JSON.stringify(obj);
+			if (!unique.has(key)) {
+				unique.add(key);
+				result.push(obj);
+			}
+		}
+		return result;
+	}
+	setRegistryFromUrl(obj, credential) {
+		if (![
+			"npm_registry",
+			"composer_repository",
+			"docker_registry"
+		].includes(credential.type)) return;
+		if (!credential.registry && credential.url) try {
+			const parsedURL = new URL(credential.url);
+			obj.registry = parsedURL.hostname;
+			if (credential.type === "npm_registry") obj.registry += parsedURL.pathname;
+		} catch {}
+	}
+	setIndexUrlFromUrl(obj, credential) {
+		if (credential.type !== "python_index") return;
+		if (credential["index-url"]) return;
+		if (credential.url) try {
+			obj["index-url"] = credential.url;
+		} catch {}
+	}
+	async runUpdate(proxy$1) {
+		const name = `dependabot-job-${this.params.jobId}`;
+		const container = await this.createContainer(proxy$1, name, { job: this.job });
+		await ContainerService.run(container, this.job.command);
+	}
+	async createContainer(proxy$1, containerName, input) {
+		return new UpdaterBuilder(this.docker, this.params, input, proxy$1, this.updaterImage).run(containerName);
+	}
+	async cleanup(proxy$1) {
+		await proxy$1.shutdown();
+	}
+};
+//#endregion
+//#region src/job-runner.ts
+var JobRunnerImagingError = class extends Error {};
+var JobRunnerUpdaterError = class extends Error {};
+var JobRunner = class {
+	options;
+	constructor(options) {
+		this.options = options;
+	}
+	async run() {
+		const { dependabotApiUrl, dependabotApiDockerUrl, jobId, jobToken, credentialsToken, secretMasker } = this.options;
+		const params = getJobParameters({
+			jobId,
+			jobToken,
+			credentialsToken,
+			dependabotApiUrl,
+			dependabotApiDockerUrl: dependabotApiDockerUrl ?? dependabotApiUrl,
+			updaterImage: this.options.updaterImage
+		});
+		const apiClient = new ApiClient(new InnerApiClient({ baseUrl: dependabotApiUrl.replace("host.docker.internal", "localhost") }), params, jobToken, credentialsToken, secretMasker);
+		const job = await apiClient.getJobDetails();
+		const updaterImage = params.updaterImage || updaterImageName(job["package-manager"]);
+		const sendMetricsWithPackageManager = async (name, metricType, value, additionalTags = {}) => {
+			try {
+				await apiClient.sendMetrics(name, metricType, value, {
+					package_manager: job["package-manager"],
+					...additionalTags
+				});
+			} catch (error) {
+				logger.warn(`Metric sending failed for ${name}: ${error.message}`);
+			}
+		};
+		const updater = new Updater(updaterImage, PROXY_IMAGE_NAME, params, job, await apiClient.getCredentials() || []);
+		try {
+			await ImageService.pull(updaterImage, sendMetricsWithPackageManager);
+			await ImageService.pull(PROXY_IMAGE_NAME, sendMetricsWithPackageManager);
+		} catch (err) {
+			if (err instanceof Error) throw new JobRunnerImagingError(err.message);
+		}
+		try {
+			await updater.runUpdater();
+		} catch (err) {
+			if (err instanceof Error) throw new JobRunnerUpdaterError(err.message);
+		}
+	}
+};
+async function runJob({ jobId, usage,...options }) {
+	const started = /* @__PURE__ */ new Date();
+	let success = false;
+	let message;
+	try {
+		await new JobRunner({
+			jobId,
+			...options
+		}).run();
+		success = true;
+	} catch (err) {
+		if (err instanceof JobRunnerImagingError) message = `Error fetching updater images: ${err.message}`;
+		else if (err instanceof JobRunnerUpdaterError) message = `Error running updater: ${err.message}`;
+		else if (err instanceof CredentialFetchingError) message = `Dependabot was unable to retrieve job credentials: ${err.message}`;
+		else message = `Unknown error: ${err.message}`;
+	}
+	const duration = Date.now() - started.getTime();
+	const data = {
+		...usage,
+		host: {
+			platform: os.platform(),
+			release: os.release(),
+			arch: os.arch(),
+			"machine-hash": crypto.createHash("sha256").update(os.hostname()).digest("hex")
+		},
+		version,
+		id: jobId,
+		started,
+		duration,
+		success
+	};
+	try {
+		const json = JSON.stringify(data);
+		logger.debug(`Usage telemetry data: ${json}`);
+		const resp = await fetch("https://dashboard.paklo.app/api/usage-telemetry", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: json
+		});
+		if (!resp.ok) logger.debug(`Failed to send usage telemetry data: ${resp.status} ${resp.statusText}`);
+	} catch (err) {
+		logger.debug(`Failed to send usage telemetry data: ${err.message}`);
+	}
+	logger.info(`Update job ${jobId} completed`);
+	return {
+		success,
+		message
+	};
+}
+//#endregion
+export { JobDetailsFetchingError as S, repositoryName as _, Updater as a, ApiClient as b, JobParameters as c, getOrgFromImage as d, ContainerRuntimeError as f, hasDigest as g, digestName as h, runJob as i, getJobParameters as l, PROXY_IMAGE_NAME as m, JobRunnerImagingError as n, UpdaterBuilder as o, ContainerService as p, JobRunnerUpdaterError as r, ProxyBuilder as s, JobRunner as t, ImageService as u, updaterImageName as v, CredentialFetchingError as x, updaterImages as y };
+//# sourceMappingURL=job-runner-BUl_fCJS.js.map