@paklo/runner 0.6.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{api-client-M8F9t7II.d.mts → api-client-BoQ6jjRB.d.mts} +4 -3
- package/dist/index.d.mts +25 -6
- package/dist/index.mjs +2 -2
- package/dist/local/azure/index.d.mts +7 -7
- package/dist/local/azure/index.mjs +95 -64
- package/dist/local/azure/index.mjs.map +1 -1
- package/dist/local/index.d.mts +2 -2
- package/dist/local/index.mjs +1 -1
- package/dist/{run-DBD6Hefl.mjs → run-CXDAe0P_.mjs} +86 -89
- package/dist/run-CXDAe0P_.mjs.map +1 -0
- package/dist/{server-DTAFwSrb.d.mts → server-6BlJr2bw.d.mts} +3 -3
- package/dist/{server-M1ps5BVd.mjs → server-BxUu1gGo.mjs} +2 -2
- package/dist/{server-M1ps5BVd.mjs.map → server-BxUu1gGo.mjs.map} +1 -1
- package/package.json +8 -6
- package/dist/run-DBD6Hefl.mjs.map +0 -1
|
@@ -1,5 +1,5 @@
|
|
|
1
|
+
import { KyInstance } from "ky";
|
|
1
2
|
import { DependabotCredential, DependabotJobConfig, DependabotMetric, DependabotRecordUpdateJobError } from "@paklo/core/dependabot";
|
|
2
|
-
import { InnerApiClient } from "@paklo/core/http";
|
|
3
3
|
|
|
4
4
|
//#region src/params.d.ts
|
|
5
5
|
declare class JobParameters {
|
|
@@ -29,8 +29,9 @@ declare class ApiClient {
|
|
|
29
29
|
readonly params: JobParameters;
|
|
30
30
|
private readonly credentialsToken;
|
|
31
31
|
private readonly secretMasker;
|
|
32
|
+
private dependabotApiUrl;
|
|
32
33
|
private jobToken;
|
|
33
|
-
constructor(client:
|
|
34
|
+
constructor(client: KyInstance, params: JobParameters, jobToken: string, credentialsToken: string, secretMasker: SecretMasker);
|
|
34
35
|
UnknownSha: {
|
|
35
36
|
'base-commit-sha': string;
|
|
36
37
|
};
|
|
@@ -45,4 +46,4 @@ declare class ApiClient {
|
|
|
45
46
|
}
|
|
46
47
|
//#endregion
|
|
47
48
|
export { JobParameters as a, SecretMasker as i, CredentialFetchingError as n, getJobParameters as o, JobDetailsFetchingError as r, ApiClient as t };
|
|
48
|
-
//# sourceMappingURL=api-client-
|
|
49
|
+
//# sourceMappingURL=api-client-BoQ6jjRB.d.mts.map
|
package/dist/index.d.mts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { a as JobParameters, i as SecretMasker, n as CredentialFetchingError, o as getJobParameters, r as JobDetailsFetchingError, t as ApiClient } from "./api-client-
|
|
2
|
-
import { DependabotCredential, DependabotJobConfig, DependabotProxyConfig, FileFetcherInput, FileUpdaterInput } from "@paklo/core/dependabot";
|
|
1
|
+
import { a as JobParameters, i as SecretMasker, n as CredentialFetchingError, o as getJobParameters, r as JobDetailsFetchingError, t as ApiClient } from "./api-client-BoQ6jjRB.mjs";
|
|
3
2
|
import Docker, { Container, Network } from "dockerode";
|
|
3
|
+
import { CertificateAuthority, DependabotCredential, DependabotJobConfig, DependabotProxyConfig, FileFetcherInput, FileUpdaterInput } from "@paklo/core/dependabot";
|
|
4
4
|
import { UsageTelemetryRequestData } from "@paklo/core/usage";
|
|
5
5
|
|
|
6
6
|
//#region src/cleanup.d.ts
|
|
@@ -42,15 +42,17 @@ type Proxy = {
|
|
|
42
42
|
cert: string;
|
|
43
43
|
shutdown: () => Promise<void>;
|
|
44
44
|
};
|
|
45
|
+
declare const CONFIG_FILE_NAME = "config.json";
|
|
45
46
|
declare class ProxyBuilder {
|
|
46
47
|
private readonly docker;
|
|
47
48
|
private readonly proxyImage;
|
|
48
49
|
private readonly cachedMode;
|
|
49
|
-
|
|
50
|
+
private readonly debug;
|
|
51
|
+
constructor(docker: Docker, proxyImage: string, cachedMode: boolean, debug: boolean);
|
|
50
52
|
run(jobId: string, jobToken: string, dependabotApiUrl: string, credentials: DependabotCredential[]): Promise<Proxy>;
|
|
51
53
|
private ensureNetwork;
|
|
52
54
|
private buildProxyConfig;
|
|
53
|
-
|
|
55
|
+
static generateCertificateAuthority(): Promise<CertificateAuthority>;
|
|
54
56
|
private createContainer;
|
|
55
57
|
private customCAPath;
|
|
56
58
|
}
|
|
@@ -66,6 +68,7 @@ type RunJobOptions = {
|
|
|
66
68
|
credentialsToken: string;
|
|
67
69
|
updaterImage?: string;
|
|
68
70
|
secretMasker: SecretMasker;
|
|
71
|
+
debug: boolean;
|
|
69
72
|
usage: Pick<UsageTelemetryRequestData, 'trigger' | 'provider' | 'owner' | 'project' | 'package-manager'>;
|
|
70
73
|
};
|
|
71
74
|
type RunJobResult = {
|
|
@@ -88,8 +91,9 @@ declare class Updater {
|
|
|
88
91
|
private readonly params;
|
|
89
92
|
private readonly job;
|
|
90
93
|
private readonly credentials;
|
|
94
|
+
private readonly debug;
|
|
91
95
|
docker: Docker;
|
|
92
|
-
constructor(updaterImage: string, proxyImage: string, params: JobParameters, job: DependabotJobConfig, credentials: DependabotCredential[]);
|
|
96
|
+
constructor(updaterImage: string, proxyImage: string, params: JobParameters, job: DependabotJobConfig, credentials: DependabotCredential[], debug: boolean);
|
|
93
97
|
/**
|
|
94
98
|
* Execute an update job and report the result to Dependabot API.
|
|
95
99
|
*/
|
|
@@ -103,6 +107,13 @@ declare class Updater {
|
|
|
103
107
|
}
|
|
104
108
|
//#endregion
|
|
105
109
|
//#region src/updater-builder.d.ts
|
|
110
|
+
declare const JOB_OUTPUT_FILENAME = "output.json";
|
|
111
|
+
declare const JOB_OUTPUT_PATH = "/home/dependabot/dependabot-updater/output";
|
|
112
|
+
declare const JOB_INPUT_FILENAME = "job.json";
|
|
113
|
+
declare const JOB_INPUT_PATH = "/home/dependabot/dependabot-updater";
|
|
114
|
+
declare const REPO_CONTENTS_PATH = "/home/dependabot/dependabot-updater/repo";
|
|
115
|
+
declare const CA_CERT_INPUT_PATH = "/usr/local/share/ca-certificates";
|
|
116
|
+
declare const CA_CERT_FILENAME = "dbot-ca.crt";
|
|
106
117
|
declare class UpdaterBuilder {
|
|
107
118
|
private readonly docker;
|
|
108
119
|
private readonly jobParams;
|
|
@@ -113,5 +124,13 @@ declare class UpdaterBuilder {
|
|
|
113
124
|
run(containerName: string): Promise<Container>;
|
|
114
125
|
}
|
|
115
126
|
//#endregion
|
|
116
|
-
|
|
127
|
+
//#region src/utils.d.ts
|
|
128
|
+
/**
|
|
129
|
+
* Extracts the SHA from an updater image string.
|
|
130
|
+
* @param updaterImage - Image string in the format "image:sha" or "registry/image:sha"
|
|
131
|
+
* @returns The SHA part after the last colon, or null if no colon is found
|
|
132
|
+
*/
|
|
133
|
+
declare const extractUpdaterSha: (updaterImage: string) => string | null;
|
|
134
|
+
//#endregion
|
|
135
|
+
export { ApiClient, CA_CERT_FILENAME, CA_CERT_INPUT_PATH, CONFIG_FILE_NAME, ContainerRuntimeError, ContainerService, CredentialFetchingError, ImageService, JOB_INPUT_FILENAME, JOB_INPUT_PATH, JOB_OUTPUT_FILENAME, JOB_OUTPUT_PATH, JobDetailsFetchingError, JobParameters, JobRunnerImagingError, JobRunnerUpdaterError, MetricReporter, PROXY_IMAGE_NAME, Proxy, ProxyBuilder, REPO_CONTENTS_PATH, RunJobOptions, RunJobResult, SecretMasker, Updater, UpdaterBuilder, cleanup, cleanupOldImageVersions, digestName, extractUpdaterSha, getJobParameters, getOrgFromImage, hasDigest, isRunningInDocker, repositoryName, runJob, updaterImageName, updaterImages };
|
|
117
136
|
//# sourceMappingURL=index.d.mts.map
|
package/dist/index.mjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { S as
|
|
1
|
+
import { A as CredentialFetchingError, C as PROXY_IMAGE_NAME, D as updaterImageName, E as repositoryName, O as updaterImages, S as extractUpdaterSha, T as hasDigest, _ as getJobParameters, a as Updater, b as ContainerRuntimeError, c as JOB_INPUT_FILENAME, d as JOB_OUTPUT_PATH, f as REPO_CONTENTS_PATH, g as JobParameters, h as ProxyBuilder, i as runJob, j as JobDetailsFetchingError, k as ApiClient, l as JOB_INPUT_PATH, m as CONFIG_FILE_NAME, n as JobRunnerUpdaterError, o as CA_CERT_FILENAME, p as UpdaterBuilder, r as isRunningInDocker, s as CA_CERT_INPUT_PATH, t as JobRunnerImagingError, u as JOB_OUTPUT_FILENAME, v as ImageService, w as digestName, x as ContainerService, y as getOrgFromImage } from "./run-CXDAe0P_.mjs";
|
|
2
2
|
import { logger } from "@paklo/core/logger";
|
|
3
3
|
import Docker from "dockerode";
|
|
4
4
|
|
|
@@ -45,5 +45,5 @@ function imageMatches(imageInfo, imageName) {
|
|
|
45
45
|
}
|
|
46
46
|
|
|
47
47
|
//#endregion
|
|
48
|
-
export { ApiClient, ContainerRuntimeError, ContainerService, CredentialFetchingError, ImageService, JobDetailsFetchingError, JobParameters, JobRunnerImagingError, JobRunnerUpdaterError, PROXY_IMAGE_NAME, ProxyBuilder, Updater, UpdaterBuilder, cleanup, cleanupOldImageVersions, digestName, getJobParameters, getOrgFromImage, hasDigest, isRunningInDocker, repositoryName, runJob, updaterImageName, updaterImages };
|
|
48
|
+
export { ApiClient, CA_CERT_FILENAME, CA_CERT_INPUT_PATH, CONFIG_FILE_NAME, ContainerRuntimeError, ContainerService, CredentialFetchingError, ImageService, JOB_INPUT_FILENAME, JOB_INPUT_PATH, JOB_OUTPUT_FILENAME, JOB_OUTPUT_PATH, JobDetailsFetchingError, JobParameters, JobRunnerImagingError, JobRunnerUpdaterError, PROXY_IMAGE_NAME, ProxyBuilder, REPO_CONTENTS_PATH, Updater, UpdaterBuilder, cleanup, cleanupOldImageVersions, digestName, extractUpdaterSha, getJobParameters, getOrgFromImage, hasDigest, isRunningInDocker, repositoryName, runJob, updaterImageName, updaterImages };
|
|
49
49
|
//# sourceMappingURL=index.mjs.map
|
|
@@ -1,19 +1,19 @@
|
|
|
1
|
-
import "../../api-client-
|
|
2
|
-
import { a as LocalJobsRunner, i as LocalDependabotServerOptions, n as LocalDependabotServer, o as LocalJobsRunnerOptions, s as RunJobsResult } from "../../server-
|
|
1
|
+
import "../../api-client-BoQ6jjRB.mjs";
|
|
2
|
+
import { a as LocalJobsRunner, i as LocalDependabotServerOptions, n as LocalDependabotServer, o as LocalJobsRunnerOptions, s as RunJobsResult } from "../../server-6BlJr2bw.mjs";
|
|
3
3
|
import { DependabotRequest } from "@paklo/core/dependabot";
|
|
4
|
-
import {
|
|
4
|
+
import { AzdoPrExtractedWithProperties, AzdoPullRequestMergeStrategy, AzureDevOpsClientWrapper, AzureDevOpsRepositoryUrl } from "@paklo/core/azure";
|
|
5
5
|
|
|
6
6
|
//#region src/local/azure/server.d.ts
|
|
7
7
|
type AzureLocalDependabotServerOptions = LocalDependabotServerOptions & {
|
|
8
8
|
url: AzureDevOpsRepositoryUrl;
|
|
9
|
-
authorClient:
|
|
9
|
+
authorClient: AzureDevOpsClientWrapper;
|
|
10
10
|
autoApprove: boolean;
|
|
11
|
-
approverClient?:
|
|
11
|
+
approverClient?: AzureDevOpsClientWrapper;
|
|
12
12
|
setAutoComplete: boolean;
|
|
13
|
-
mergeStrategy?:
|
|
13
|
+
mergeStrategy?: AzdoPullRequestMergeStrategy;
|
|
14
14
|
autoCompleteIgnoreConfigIds: number[];
|
|
15
15
|
existingBranchNames: string[] | undefined;
|
|
16
|
-
existingPullRequests:
|
|
16
|
+
existingPullRequests: AzdoPrExtractedWithProperties[];
|
|
17
17
|
};
|
|
18
18
|
declare class AzureLocalDependabotServer extends LocalDependabotServer {
|
|
19
19
|
private readonly options;
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { i as runJob } from "../../run-
|
|
2
|
-
import { n as LocalJobsRunner, t as LocalDependabotServer } from "../../server-
|
|
3
|
-
import { DependabotJobBuilder, getBranchNameForUpdate, mapPackageEcosystemToPackageManager } from "@paklo/core/dependabot";
|
|
1
|
+
import { i as runJob } from "../../run-CXDAe0P_.mjs";
|
|
2
|
+
import { n as LocalJobsRunner, t as LocalDependabotServer } from "../../server-BxUu1gGo.mjs";
|
|
4
3
|
import { logger } from "@paklo/core/logger";
|
|
5
4
|
import { readFile } from "node:fs/promises";
|
|
6
5
|
import { existsSync } from "node:fs";
|
|
7
|
-
import {
|
|
6
|
+
import { DependabotJobBuilder, getBranchNameForUpdate, getPullRequestCloseReason, getPullRequestDependencies, getPullRequestDescription, mapPackageEcosystemToPackageManager, normalizeBranchName } from "@paklo/core/dependabot";
|
|
7
|
+
import { AzureDevOpsClientWrapper, PR_DESCRIPTION_MAX_LENGTH, PR_PROPERTY_MICROSOFT_GIT_SOURCE_REF_NAME, buildPullRequestProperties, getPullRequestChangedFiles, getPullRequestForDependencyNames, parsePullRequestProperties } from "@paklo/core/azure";
|
|
8
8
|
import { GitHubSecurityAdvisoryClient, SecurityVulnerabilitySchema, filterVulnerabilities, getGhsaPackageEcosystemFromDependabotPackageManager } from "@paklo/core/github";
|
|
9
9
|
|
|
10
10
|
//#region src/local/azure/server.ts
|
|
@@ -43,10 +43,20 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
43
43
|
logger.warn(`Skipping pull request creation of '${title}' as the open pull requests limit (${openPullRequestsLimit}) has been reached`);
|
|
44
44
|
return true;
|
|
45
45
|
}
|
|
46
|
-
const changedFiles =
|
|
47
|
-
const dependencies =
|
|
48
|
-
const targetBranch = update["target-branch"] || await authorClient.getDefaultBranch(
|
|
49
|
-
|
|
46
|
+
const changedFiles = getPullRequestChangedFiles(data);
|
|
47
|
+
const dependencies = getPullRequestDependencies(data);
|
|
48
|
+
const targetBranch = update["target-branch"] || await authorClient.getDefaultBranch({
|
|
49
|
+
project,
|
|
50
|
+
repository
|
|
51
|
+
});
|
|
52
|
+
const sourceBranch = getBranchNameForUpdate({
|
|
53
|
+
packageEcosystem: update["package-ecosystem"],
|
|
54
|
+
targetBranchName: targetBranch,
|
|
55
|
+
directory: update.directory || update.directories?.find((dir) => changedFiles[0]?.path?.startsWith(dir)),
|
|
56
|
+
dependencyGroupName: !Array.isArray(dependencies) ? dependencies["dependency-group-name"] : void 0,
|
|
57
|
+
dependencies: !Array.isArray(dependencies) ? dependencies.dependencies : dependencies,
|
|
58
|
+
separator: update["pull-request-branch-name"]?.separator
|
|
59
|
+
});
|
|
50
60
|
if ((existingBranchNames?.find((branch) => sourceBranch === branch) || []).length) {
|
|
51
61
|
logger.error(`Unable to create pull request '${title}' as source branch '${sourceBranch}' already exists; Delete the existing branch and try again.`);
|
|
52
62
|
return false;
|
|
@@ -66,19 +76,16 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
66
76
|
target: { branch: targetBranch },
|
|
67
77
|
author,
|
|
68
78
|
title,
|
|
69
|
-
description: getPullRequestDescription(
|
|
79
|
+
description: getPullRequestDescription({
|
|
80
|
+
packageManager,
|
|
81
|
+
body: data["pr-body"],
|
|
82
|
+
dependencies: data.dependencies,
|
|
83
|
+
maxDescriptionLength: PR_DESCRIPTION_MAX_LENGTH
|
|
84
|
+
}),
|
|
70
85
|
commitMessage: data["commit-message"],
|
|
71
86
|
autoComplete: setAutoComplete ? {
|
|
72
87
|
ignorePolicyConfigIds: autoCompleteIgnoreConfigIds,
|
|
73
|
-
mergeStrategy:
|
|
74
|
-
switch (mergeStrategy) {
|
|
75
|
-
case "noFastForward": return GitPullRequestMergeStrategy.NoFastForward;
|
|
76
|
-
case "squash": return GitPullRequestMergeStrategy.Squash;
|
|
77
|
-
case "rebase": return GitPullRequestMergeStrategy.Rebase;
|
|
78
|
-
case "rebaseMerge": return GitPullRequestMergeStrategy.RebaseMerge;
|
|
79
|
-
default: return GitPullRequestMergeStrategy.Squash;
|
|
80
|
-
}
|
|
81
|
-
})()
|
|
88
|
+
mergeStrategy: mergeStrategy ?? "squash"
|
|
82
89
|
} : void 0,
|
|
83
90
|
assignees: update.assignees,
|
|
84
91
|
labels: update.labels?.map((label) => label?.trim()) || [],
|
|
@@ -91,10 +98,11 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
91
98
|
repository,
|
|
92
99
|
pullRequestId: newPullRequestId
|
|
93
100
|
});
|
|
94
|
-
if (newPullRequestId
|
|
101
|
+
if (newPullRequestId) {
|
|
95
102
|
affectedPullRequestIds.get(id).created.push(newPullRequestId);
|
|
96
103
|
return true;
|
|
97
|
-
}
|
|
104
|
+
}
|
|
105
|
+
return false;
|
|
98
106
|
}
|
|
99
107
|
case "update_pull_request": {
|
|
100
108
|
if (dryRun) {
|
|
@@ -109,21 +117,18 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
109
117
|
const pullRequestWasUpdated = await authorClient.updatePullRequest({
|
|
110
118
|
project,
|
|
111
119
|
repository,
|
|
112
|
-
pullRequestId: pullRequestToUpdate.
|
|
120
|
+
pullRequestId: pullRequestToUpdate.pullRequestId,
|
|
113
121
|
commit: data["base-commit-sha"] || job.source.commit,
|
|
114
122
|
author,
|
|
115
|
-
changes:
|
|
116
|
-
skipIfDraft: true,
|
|
117
|
-
skipIfCommitsFromAuthorsOtherThan: author.email,
|
|
118
|
-
skipIfNotBehindTargetBranch: true
|
|
123
|
+
changes: getPullRequestChangedFiles(data)
|
|
119
124
|
});
|
|
120
125
|
if (autoApprove && approverClient && pullRequestWasUpdated) await approverClient.approvePullRequest({
|
|
121
126
|
project,
|
|
122
127
|
repository,
|
|
123
|
-
pullRequestId: pullRequestToUpdate.
|
|
128
|
+
pullRequestId: pullRequestToUpdate.pullRequestId
|
|
124
129
|
});
|
|
125
130
|
if (pullRequestWasUpdated) {
|
|
126
|
-
affectedPullRequestIds.get(id).updated.push(pullRequestToUpdate.
|
|
131
|
+
affectedPullRequestIds.get(id).updated.push(pullRequestToUpdate.pullRequestId);
|
|
127
132
|
return true;
|
|
128
133
|
}
|
|
129
134
|
return false;
|
|
@@ -141,11 +146,11 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
141
146
|
if (await authorClient.abandonPullRequest({
|
|
142
147
|
project,
|
|
143
148
|
repository,
|
|
144
|
-
pullRequestId: pullRequestToClose.
|
|
145
|
-
comment:
|
|
149
|
+
pullRequestId: pullRequestToClose.pullRequestId,
|
|
150
|
+
comment: getPullRequestCloseReason(data),
|
|
146
151
|
deleteSourceBranch: true
|
|
147
152
|
})) {
|
|
148
|
-
affectedPullRequestIds.get(id).closed.push(pullRequestToClose.
|
|
153
|
+
affectedPullRequestIds.get(id).closed.push(pullRequestToClose.pullRequestId);
|
|
149
154
|
return true;
|
|
150
155
|
}
|
|
151
156
|
return false;
|
|
@@ -173,11 +178,11 @@ var AzureLocalDependabotServer = class extends LocalDependabotServer {
|
|
|
173
178
|
case "record_cooldown_meta":
|
|
174
179
|
case "record_metrics": return true;
|
|
175
180
|
case "record_update_job_error":
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
logger.error(`Update job unknown error: ${data["error-type"]}, ${JSON.stringify(data["error-details"])}`);
|
|
181
|
+
case "record_update_job_unknown_error": {
|
|
182
|
+
const unknown = type === "record_update_job_unknown_error";
|
|
183
|
+
logger.error(`Update${unknown ? " unknown " : ""})job error: ${data["error-type"]} ${JSON.stringify(data["error-details"])}`);
|
|
180
184
|
return true;
|
|
185
|
+
}
|
|
181
186
|
default:
|
|
182
187
|
logger.warn(`Unknown dependabot request type '${type}', ignoring...`);
|
|
183
188
|
return true;
|
|
@@ -195,16 +200,23 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
195
200
|
super({ ...options });
|
|
196
201
|
this.options = options;
|
|
197
202
|
const { url, gitToken, autoApprove, debug } = this.options;
|
|
198
|
-
this.authorClient = new
|
|
199
|
-
this.approverClient = autoApprove ? new
|
|
203
|
+
this.authorClient = new AzureDevOpsClientWrapper(url, gitToken, debug);
|
|
204
|
+
this.approverClient = autoApprove ? new AzureDevOpsClientWrapper(url, options.autoApproveToken || gitToken, debug) : void 0;
|
|
200
205
|
}
|
|
201
206
|
async run() {
|
|
202
207
|
await super.run();
|
|
203
208
|
const { options: { url, port, config, targetUpdateIds, command }, authorClient, approverClient } = this;
|
|
204
209
|
if (config["multi-ecosystem-groups"] || config.updates?.some((u) => u["multi-ecosystem-group"])) logger.warn("Multi-ecosystem updates are not working yet. Only parsing and validation is supported at this time.");
|
|
205
210
|
if (config.updates?.some((u) => u["open-pull-requests-limit"] === 0)) logger.warn("Security-only updates incur a slight performance overhead due to limitations in Dependabot CLI. For more info, see: https://github.com/mburumaxwell/dependabot-azure-devops/blob/main/README.md#configuring-security-advisories-and-known-vulnerabilities");
|
|
206
|
-
const existingBranchNames = await authorClient.getBranchNames(
|
|
207
|
-
|
|
211
|
+
const existingBranchNames = await authorClient.getBranchNames({
|
|
212
|
+
project: url.project,
|
|
213
|
+
repository: url.repository
|
|
214
|
+
});
|
|
215
|
+
const existingPullRequests = await authorClient.getActivePullRequestProperties({
|
|
216
|
+
project: url.project,
|
|
217
|
+
repository: url.repository,
|
|
218
|
+
creatorId: await authorClient.getUserId()
|
|
219
|
+
});
|
|
208
220
|
const server = new AzureLocalDependabotServer({
|
|
209
221
|
authorClient,
|
|
210
222
|
approverClient,
|
|
@@ -244,14 +256,14 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
244
256
|
const { options: { url, dryRun }, authorClient } = this;
|
|
245
257
|
for (const pullRequestIndex in existingPullRequests) {
|
|
246
258
|
const pullRequest = existingPullRequests[pullRequestIndex];
|
|
247
|
-
const pullRequestSourceRefName = normalizeBranchName(pullRequest.properties?.find((x) => x.name ===
|
|
259
|
+
const pullRequestSourceRefName = normalizeBranchName(pullRequest.properties?.find((x) => x.name === PR_PROPERTY_MICROSOFT_GIT_SOURCE_REF_NAME)?.value);
|
|
248
260
|
if (pullRequestSourceRefName && !existingBranchNames.includes(pullRequestSourceRefName)) {
|
|
249
261
|
if (!dryRun) {
|
|
250
|
-
logger.warn(`Detected source branch for PR #${pullRequest.
|
|
262
|
+
logger.warn(`Detected source branch for PR #${pullRequest.pullRequestId} has been deleted; The pull request will be abandoned`);
|
|
251
263
|
await authorClient.abandonPullRequest({
|
|
252
264
|
project: url.project,
|
|
253
265
|
repository: url.repository,
|
|
254
|
-
pullRequestId: pullRequest.
|
|
266
|
+
pullRequestId: pullRequest.pullRequestId,
|
|
255
267
|
comment: "It might be a good idea to add an [`ignore` condition](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#ignore--) with the desired `update-types` to your config file."
|
|
256
268
|
});
|
|
257
269
|
}
|
|
@@ -268,6 +280,11 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
268
280
|
async performUpdates(server, updates, existingPullRequests, dependabotApiUrl, dependabotApiDockerUrl, command) {
|
|
269
281
|
const { options: { url, gitToken, githubToken, experiments, config, dryRun, securityAdvisoriesFile, secretMasker } } = this;
|
|
270
282
|
const results = [];
|
|
283
|
+
function makeRandomJobId() {
|
|
284
|
+
const array = new Uint32Array(1);
|
|
285
|
+
crypto.getRandomValues(array);
|
|
286
|
+
return `${array[0] % 1e10}`;
|
|
287
|
+
}
|
|
271
288
|
function makeUsageData(job) {
|
|
272
289
|
return {
|
|
273
290
|
trigger: "user",
|
|
@@ -300,14 +317,20 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
300
317
|
let credentials;
|
|
301
318
|
let jobToken;
|
|
302
319
|
let credentialsToken;
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
const
|
|
320
|
+
const debug = this.options.debug;
|
|
321
|
+
const securityVulnerabilities = [];
|
|
322
|
+
const dependencyNamesToUpdate = [];
|
|
323
|
+
const openPullRequestsLimit = update["open-pull-requests-limit"];
|
|
324
|
+
const securityUpdatesOnly = openPullRequestsLimit === 0;
|
|
306
325
|
if (securityUpdatesOnly) {
|
|
307
|
-
|
|
326
|
+
const id = makeRandomJobId();
|
|
327
|
+
({job, credentials} = builder.forDependenciesList({
|
|
328
|
+
id,
|
|
329
|
+
command
|
|
330
|
+
}));
|
|
308
331
|
({jobToken, credentialsToken} = this.makeTokens());
|
|
309
332
|
server.add({
|
|
310
|
-
id
|
|
333
|
+
id,
|
|
311
334
|
update,
|
|
312
335
|
job,
|
|
313
336
|
jobToken,
|
|
@@ -317,14 +340,15 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
317
340
|
await runJob({
|
|
318
341
|
dependabotApiUrl,
|
|
319
342
|
dependabotApiDockerUrl,
|
|
320
|
-
jobId:
|
|
343
|
+
jobId: id,
|
|
321
344
|
jobToken,
|
|
322
345
|
credentialsToken,
|
|
323
346
|
updaterImage,
|
|
324
347
|
secretMasker,
|
|
348
|
+
debug,
|
|
325
349
|
usage: makeUsageData(job)
|
|
326
350
|
});
|
|
327
|
-
const packagesToCheckForVulnerabilities = server.requests(
|
|
351
|
+
const packagesToCheckForVulnerabilities = server.requests(id).find((o) => o.type === "update_dependency_list")?.data.dependencies?.map((d) => ({
|
|
328
352
|
name: d.name,
|
|
329
353
|
version: d.version
|
|
330
354
|
}));
|
|
@@ -334,30 +358,33 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
334
358
|
const filePath = securityAdvisoriesFile;
|
|
335
359
|
if (existsSync(filePath)) {
|
|
336
360
|
const fileContents = await readFile(filePath, "utf-8");
|
|
337
|
-
securityVulnerabilities
|
|
361
|
+
securityVulnerabilities.push(...await SecurityVulnerabilitySchema.array().parseAsync(JSON.parse(fileContents)));
|
|
338
362
|
} else logger.info(`Private security advisories file '${filePath}' does not exist`);
|
|
339
363
|
}
|
|
340
364
|
if (githubToken) {
|
|
341
365
|
const githubVulnerabilities = await new GitHubSecurityAdvisoryClient(githubToken).getSecurityVulnerabilitiesAsync(getGhsaPackageEcosystemFromDependabotPackageManager(packageManager), packagesToCheckForVulnerabilities || []);
|
|
342
366
|
securityVulnerabilities.push(...githubVulnerabilities);
|
|
343
367
|
} else logger.info("GitHub access token is not provided; Checking for vulnerabilities from GitHub is skipped. This is not an issue if you are using private security advisories file.");
|
|
344
|
-
|
|
345
|
-
|
|
368
|
+
const filtered = filterVulnerabilities(securityVulnerabilities);
|
|
369
|
+
securityVulnerabilities.splice(0);
|
|
370
|
+
securityVulnerabilities.push(...filtered);
|
|
371
|
+
dependencyNamesToUpdate.push(...Array.from(new Set(securityVulnerabilities.map((v) => v.package.name))));
|
|
346
372
|
logger.info(`Detected ${securityVulnerabilities.length} vulnerabilities affecting ${dependencyNamesToUpdate.length} dependencies`);
|
|
347
373
|
if (dependencyNamesToUpdate.length) logger.trace(dependencyNamesToUpdate);
|
|
348
374
|
} else {
|
|
349
375
|
logger.info(`No vulnerabilities detected for update ${update["package-ecosystem"]} in ${update.directory}`);
|
|
350
|
-
server.clear(
|
|
376
|
+
server.clear(id);
|
|
351
377
|
continue;
|
|
352
378
|
}
|
|
353
|
-
server.clear(
|
|
379
|
+
server.clear(id);
|
|
354
380
|
}
|
|
355
|
-
const openPullRequestsLimit = update["open-pull-requests-limit"];
|
|
356
381
|
const openPullRequestsCount = Object.entries(existingPullRequestsForPackageManager).length;
|
|
357
382
|
if (!(openPullRequestsLimit > 0 && openPullRequestsCount >= openPullRequestsLimit)) {
|
|
358
383
|
const dependenciesHaveVulnerabilities = dependencyNamesToUpdate.length && securityVulnerabilities.length;
|
|
359
384
|
if (!securityUpdatesOnly || dependenciesHaveVulnerabilities) {
|
|
385
|
+
const id = makeRandomJobId();
|
|
360
386
|
({job, credentials} = builder.forUpdate({
|
|
387
|
+
id,
|
|
361
388
|
command,
|
|
362
389
|
dependencyNamesToUpdate,
|
|
363
390
|
existingPullRequests: existingPullRequestDependenciesForPackageManager,
|
|
@@ -365,7 +392,7 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
365
392
|
}));
|
|
366
393
|
({jobToken, credentialsToken} = this.makeTokens());
|
|
367
394
|
server.add({
|
|
368
|
-
id
|
|
395
|
+
id,
|
|
369
396
|
update,
|
|
370
397
|
job,
|
|
371
398
|
jobToken,
|
|
@@ -375,17 +402,18 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
375
402
|
const { success, message } = await runJob({
|
|
376
403
|
dependabotApiUrl,
|
|
377
404
|
dependabotApiDockerUrl,
|
|
378
|
-
jobId:
|
|
405
|
+
jobId: id,
|
|
379
406
|
jobToken,
|
|
380
407
|
credentialsToken,
|
|
381
408
|
updaterImage,
|
|
382
409
|
secretMasker,
|
|
410
|
+
debug,
|
|
383
411
|
usage: makeUsageData(job)
|
|
384
412
|
});
|
|
385
|
-
const affectedPrs = server.allAffectedPrs(
|
|
386
|
-
server.clear(
|
|
413
|
+
const affectedPrs = server.allAffectedPrs(id);
|
|
414
|
+
server.clear(id);
|
|
387
415
|
results.push({
|
|
388
|
-
id
|
|
416
|
+
id,
|
|
389
417
|
success,
|
|
390
418
|
message,
|
|
391
419
|
affectedPrs
|
|
@@ -394,7 +422,9 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
394
422
|
} else logger.warn(`Skipping update for ${packageEcosystem} packages as the open pull requests limit (${openPullRequestsLimit}) has already been reached`);
|
|
395
423
|
const numberOfPullRequestsToUpdate = Object.keys(existingPullRequestsForPackageManager).length;
|
|
396
424
|
if (numberOfPullRequestsToUpdate > 0) if (!dryRun) for (const pullRequestId in existingPullRequestsForPackageManager) {
|
|
425
|
+
const id = makeRandomJobId();
|
|
397
426
|
({job, credentials} = builder.forUpdate({
|
|
427
|
+
id,
|
|
398
428
|
command,
|
|
399
429
|
existingPullRequests: existingPullRequestDependenciesForPackageManager,
|
|
400
430
|
pullRequestToUpdate: existingPullRequestsForPackageManager[pullRequestId],
|
|
@@ -402,7 +432,7 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
402
432
|
}));
|
|
403
433
|
({jobToken, credentialsToken} = this.makeTokens());
|
|
404
434
|
server.add({
|
|
405
|
-
id
|
|
435
|
+
id,
|
|
406
436
|
update,
|
|
407
437
|
job,
|
|
408
438
|
jobToken,
|
|
@@ -412,17 +442,18 @@ var AzureLocalJobsRunner = class extends LocalJobsRunner {
|
|
|
412
442
|
const { success, message } = await runJob({
|
|
413
443
|
dependabotApiUrl,
|
|
414
444
|
dependabotApiDockerUrl,
|
|
415
|
-
jobId:
|
|
445
|
+
jobId: id,
|
|
416
446
|
jobToken,
|
|
417
447
|
credentialsToken,
|
|
418
448
|
updaterImage,
|
|
419
449
|
secretMasker,
|
|
450
|
+
debug,
|
|
420
451
|
usage: makeUsageData(job)
|
|
421
452
|
});
|
|
422
|
-
const affectedPrs = server.allAffectedPrs(
|
|
423
|
-
server.clear(
|
|
453
|
+
const affectedPrs = server.allAffectedPrs(id);
|
|
454
|
+
server.clear(id);
|
|
424
455
|
results.push({
|
|
425
|
-
id
|
|
456
|
+
id,
|
|
426
457
|
success,
|
|
427
458
|
message,
|
|
428
459
|
affectedPrs
|