Class: Dependabot::GithubActions::Package::PackageDetailsFetcher

Inherits:

Object

Object
Dependabot::GithubActions::Package::PackageDetailsFetcher

show all

Extended by:: T::Sig

Defined in:: lib/dependabot/github_actions/package/package_details_fetcher.rb

Instance Attribute Summary collapse

#credentials ⇒ Object readonly

Returns the value of attribute credentials.
#dependency ⇒ Object readonly

Returns the value of attribute dependency.
#ignored_versions ⇒ Object readonly

Returns the value of attribute ignored_versions.
#raise_on_ignored ⇒ Object readonly

Returns the value of attribute raise_on_ignored.
#security_advisories ⇒ Object readonly

Returns the value of attribute security_advisories.

Instance Method Summary collapse

#allowed_version_tags_with_release_dates ⇒ Object
#fetch_tag_and_release_date ⇒ Object
#initialize(dependency:, credentials:, ignored_versions: [], raise_on_ignored: false, security_advisories: []) ⇒ PackageDetailsFetcher constructor

A new instance of PackageDetailsFetcher.
#latest_version_tag ⇒ Object
#lowest_security_fix_version_tag ⇒ Object
#release_list_for_git_dependency ⇒ Object

Constructor Details

#initialize(dependency:, credentials:, ignored_versions: [], raise_on_ignored: false, security_advisories: []) ⇒ `PackageDetailsFetcher`

Returns a new instance of PackageDetailsFetcher.

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 37

def initialize(
  dependency:,
  credentials:,
  ignored_versions: [],
  raise_on_ignored: false,
  security_advisories: []
)
  @dependency = dependency
  @credentials = credentials
  @raise_on_ignored = raise_on_ignored
  @ignored_versions = ignored_versions
  @security_advisories = security_advisories

  @git_helper = T.let(git_helper, Dependabot::GithubActions::Helpers::Githelper)
end

Instance Attribute Details

#credentials ⇒ `Object` (readonly)

Returns the value of attribute credentials.



57
58
59

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 57

def credentials
  @credentials
end

#dependency ⇒ `Object` (readonly)

Returns the value of attribute dependency.



54
55
56

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 54

def dependency
  @dependency
end

#ignored_versions ⇒ `Object` (readonly)

Returns the value of attribute ignored_versions.



60
61
62

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 60

def ignored_versions
  @ignored_versions
end

#raise_on_ignored ⇒ `Object` (readonly)

Returns the value of attribute raise_on_ignored.



63
64
65

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 63

def raise_on_ignored
  @raise_on_ignored
end

#security_advisories ⇒ `Object` (readonly)

Returns the value of attribute security_advisories.



66
67
68

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 66

def security_advisories
  @security_advisories
end

Instance Method Details

#allowed_version_tags_with_release_dates ⇒ `Object`

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 159

def allowed_version_tags_with_release_dates
  allowed_version_tags_hashes = git_commit_checker.local_tags_for_allowed_versions
  tag_to_release_date = T.let({}, T::Hash[String, T.nilable(String)])

  # Build a map of tag names to release dates for quick lookup
  fetch_tag_and_release_date.each do |git_tag_with_detail|
    tag_to_release_date[git_tag_with_detail.tag] = git_tag_with_detail.release_date
  end

  # Combine version info with release dates and sort by version descending
  result = allowed_version_tags_hashes.map do |tag_hash|
    tag_name = tag_hash.fetch(:tag)
    tag_hash.merge(
      release_date: tag_to_release_date[tag_name]
    )
  end

  # Sort by version descending (newest first)
  result.sort_by { |tag_hash| tag_hash.fetch(:version) }.reverse
end

#fetch_tag_and_release_date ⇒ `Object`

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 133

def fetch_tag_and_release_date
  allowed_version_tags = git_commit_checker.allowed_version_tags
  allowed_tag_names = Set.new(allowed_version_tags.map(&:name))

  # Use the shared GitCommitChecker#refs_for_tag_with_detail to fetch all tags
  # with release dates in a single clone (instead of one clone per tag)
  all_refs_with_detail = git_commit_checker.refs_for_tag_with_detail

  result = all_refs_with_detail.select do |ref|
    allowed_tag_names.include?(ref.tag)
  end

  # Log an error if we couldn't fetch any release dates
  if result.empty? && allowed_version_tags.any?
    Dependabot.logger.error("Error fetching tag and release date: unable to fetch for allowed tags")
  end

  result
rescue StandardError => e
  Dependabot.logger.error("Error fetching tag and release date: #{e.message}")
  []
end

#latest_version_tag ⇒ `Object`

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 118

def latest_version_tag
  @latest_version_tag ||= T.let(
    begin
      return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?

      ref = git_commit_checker.local_ref_for_latest_version_matching_existing_precision
      return ref if ref && ref.fetch(:version) > current_version

      git_commit_checker.local_ref_for_latest_version_lower_precision
    end,
    T.nilable(T::Hash[Symbol, T.untyped])
  )
end

#lowest_security_fix_version_tag ⇒ `Object`

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 98

def lowest_security_fix_version_tag
  # TODO: Support Docker sources
  return unless git_dependency?

  @lowest_security_fix_version_tag ||= T.let(
    begin
      tags_matching_precision = git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
      lowest_fixed_version = find_lowest_secure_version(tags_matching_precision)
      if lowest_fixed_version
        lowest_fixed_version
      else
        tags = git_commit_checker.local_tags_for_allowed_versions
        find_lowest_secure_version(tags)
      end
    end,
    T.nilable(T::Hash[Symbol, String])
  )
end

#release_list_for_git_dependency ⇒ `Object`

# File 'lib/dependabot/github_actions/package/package_details_fetcher.rb', line 70

def release_list_for_git_dependency
  # TODO: Support Docker sources
  return unless git_dependency?
  return current_commit unless git_commit_checker.pinned?

  # If the dependency is pinned to a tag that looks like a version then
  # we want to update that tag.
  if git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
    latest_version = latest_version_tag&.fetch(:version)
    return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)

    return latest_version
  end

  if git_commit_checker.pinned_ref_looks_like_commit_sha? && latest_version_tag
    latest_version = latest_version_tag&.fetch(:version)
    return latest_commit_for_pinned_ref unless git_commit_checker.local_tag_for_pinned_sha

    return latest_version
  end

  # If the dependency is pinned to a tag that doesn't look like a
  # version or a commit SHA then there's nothing we can do.
  nil
end

Class: Dependabot::GithubActions::Package::PackageDetailsFetcher

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(dependency:, credentials:, ignored_versions: [], raise_on_ignored: false, security_advisories: []) ⇒ PackageDetailsFetcher

Instance Attribute Details

#credentials ⇒ Object (readonly)

#dependency ⇒ Object (readonly)

#ignored_versions ⇒ Object (readonly)

#raise_on_ignored ⇒ Object (readonly)

#security_advisories ⇒ Object (readonly)