Merge branch 'main' into add-bazel-lockfile

Author: markhallen

bazel/lib/dependabot/bazel/file_fetcher.rb

@@ -11,7 +11,7 @@ class FileFetcher < Dependabot::FileFetchers::Base
 
       WORKSPACE_FILES = T.let(%w(WORKSPACE WORKSPACE.bazel).freeze, T::Array[String])
       MODULE_FILES = T.let(%w(MODULE.bazel).freeze, T::Array[String])
-      CONFIG_FILES = T.let(%w(.bazelrc MODULE.bazel.lock).freeze, T::Array[String])
+      CONFIG_FILES = T.let(%w(.bazelrc MODULE.bazel.lock .bazelversion maven_install.json).freeze, T::Array[String])
       SKIP_DIRECTORIES = T.let(%w(.git .bazel-* bazel-* node_modules .github).freeze, T::Array[String])
 
       sig { override.returns(String) }
@@ -86,14 +86,11 @@ def module_files
       def config_files
         files = T.let([], T::Array[DependencyFile])
 
-        CONFIG_FILES.each do |filename|
+        CONFIG_FILES.map do |filename|
           file = fetch_file_if_present(filename)
           files << file if file
         end
 
-        bazelversion = fetch_file_if_present(".bazelversion")
-        files << bazelversion if bazelversion
-
         files
       end
 

bazel/spec/dependabot/bazel/file_fetcher_spec.rb

@@ -113,6 +113,29 @@
       it "fetches the MODULE.bazel file" do
         expect(fetched_files.map(&:name)).to include("MODULE.bazel")
       end
+
+      context "with a maven_install.json file" do
+        before do
+          stub_request(:get, url + "?ref=sha")
+            .to_return(
+              status: 200,
+              body: fixture("github", "contents_bazel_with_maven_install.json"),
+              headers: { "content-type" => "application/json" }
+            )
+
+          stub_request(:get, url + "maven_install.json?ref=sha")
+            .to_return(
+              status: 200,
+              body: fixture("github", "contents_bazel_maven_install.json"),
+              headers: { "content-type" => "application/json" }
+            )
+        end
+
+        it "includes maven_install.json" do
+          puts "files: #{fetched_files.map(&:name)}"
+          expect(fetched_files.map(&:name)).to include("maven_install.json")
+        end
+      end
     end
 
     context "when beta ecosystems are not allowed" do

bazel/spec/fixtures/github/contents_bazel_maven_install.json

@@ -0,0 +1,13 @@
+{
+  "name": "maven_install.json",
+  "path": "maven_install.json",
+  "sha": "abc123",
+  "size": 1234,
+  "url": "https://api.github.com/repos/example/repo/contents/maven_install.json?ref=sha",
+  "html_url": "https://github.com/example/repo/blob/sha/maven_install.json",
+  "git_url": "https://api.github.com/repos/example/repo/git/blobs/abc123",
+  "download_url": "https://raw.githubusercontent.com/example/repo/sha/maven_install.json",
+  "type": "file",
+  "content": "bW9kdWxlKG5hbWUgPSAiZXhhbXBsZSIsIHZlcnNpb24gPSAiMS4wLjAiKQ==\n",
+  "encoding": "base64"
+}

bazel/spec/fixtures/github/contents_bazel_with_maven_install.json

@@ -0,0 +1,28 @@
+[
+  {
+    "name": "MODULE.bazel",
+    "path": "MODULE.bazel",
+    "sha": "abc123",
+    "size": 1234,
+    "url": "https://api.github.com/repos/example/repo/contents/MODULE.bazel?ref=sha",
+    "html_url": "https://github.com/example/repo/blob/sha/MODULE.bazel",
+    "git_url": "https://api.github.com/repos/example/repo/git/blobs/abc123",
+    "download_url": "https://raw.githubusercontent.com/example/repo/sha/MODULE.bazel",
+    "type": "file",
+    "content": "bW9kdWxlKG5hbWUgPSAiZXhhbXBsZSIsIHZlcnNpb24gPSAiMS4wLjAiKQ==\n",
+    "encoding": "base64"
+  },
+  {
+    "name": "maven_install.json",
+    "path": "maven_install.json",
+    "sha": "abc123",
+    "size": 1234,
+    "url": "https://api.github.com/repos/example/repo/contents/maven_install.json?ref=sha",
+    "html_url": "https://github.com/example/repo/blob/sha/maven_install.json",
+    "git_url": "https://api.github.com/repos/example/repo/git/blobs/abc123",
+    "download_url": "https://raw.githubusercontent.com/example/repo/sha/maven_install.json",
+    "type": "file",
+    "content": "bW9kdWxlKG5hbWUgPSAiZXhhbXBsZSIsIHZlcnNpb24gPSAiMS4wLjAiKQ==\n",
+    "encoding": "base64"
+  }
+]

bun/Dockerfile

@@ -3,64 +3,37 @@ FROM ghcr.io/dependabot/dependabot-updater-core
 # Check for updates at https://github.com/nodejs/corepack/releases
 ARG COREPACK_VERSION=0.33.0
 
-# Check for updates at https://github.com/pnpm/pnpm/releases
-ARG PNPM_VERSION=9.15.5
-
-# Check for updates at https://github.com/yarnpkg/berry/releases
-ARG YARN_VERSION=4.5.3
-
 # Check for updates at https://github.com/oven-sh/bun/releases
 ARG BUN_VERSION=1.2.5
 
 # See https://github.com/nodesource/distributions#installation-instructions
 ARG NODEJS_VERSION=20
 
-# Check for updates at https://github.com/npm/cli/releases
-# This version should be compatible with the Node.js version declared above. See https://nodejs.org/en/download/releases as well
-# TODO: Upgrade to 9.6.7 depending on the outcome of https://github.com/npm/cli/issues/6742
-ARG NPM_VERSION=9.6.5
-
-# Install Node and npm
+# Install Node and bun
 RUN mkdir -p /etc/apt/keyrings \
   && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
   && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODEJS_VERSION}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
   && apt-get update \
   && apt-get install -y --no-install-recommends \
   nodejs \
   && rm -rf /var/lib/apt/lists/* \
-  && npm install -g corepack@$COREPACK_VERSION \
   && npm install -g corepack@$COREPACK_VERSION bun@$BUN_VERSION \
   && rm -rf ~/.npm
 
 USER dependabot
 
-# Install pnpm and set it to a stable version
-RUN corepack install pnpm@$PNPM_VERSION --global
-
-# Install yarn berry and set it to a stable version
-RUN corepack install yarn@$YARN_VERSION --global
-
-# Install npm and set it to a stable version
-RUN corepack install npm@$NPM_VERSION --global
-
 ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
 COPY --chown=dependabot:dependabot bun/helpers /opt/bun/helpers
 RUN bash /opt/bun/helpers/build
 
-# START: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
-
-# TODO: Remove these hacks once we've deprecated npm 6 support as it no longer
-# spawns a child process to npm install git dependencies.
-
 # Create the config file manually instead of using yarn/npm config set as this
 # executes the package manager outputs to every job log
-COPY --chown=dependabot:dependabot updater/config/.yarnrc updater/config/.npmrc $DEPENDABOT_HOME/
+# This is here because bun supports .npmrc as well. See https://bun.com/docs/pm/npmrc#npmrc-support
+COPY --chown=dependabot:dependabot updater/config/.npmrc $DEPENDABOT_HOME/
 
-# For Yarn Berry we can set this via an environment variable
+# Configure Node to use our custom CA bundle
 ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
 
-# END: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
-
 COPY --chown=dependabot:dependabot bun $DEPENDABOT_HOME/bun
 COPY --chown=dependabot:dependabot common $DEPENDABOT_HOME/common
 COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater

github_actions/lib/dependabot/github_actions/constants.rb

@@ -35,6 +35,7 @@ module GithubActions
 
     OWNER_KEY = T.let("owner", String)
     REPO_KEY = T.let("repo", String)
+    PATH_KEY = T.let("path", String)
     REF_KEY = T.let("ref", String)
     USES_KEY = T.let("uses", String)
     STEPS_KEY = T.let("steps", String)

github_actions/lib/dependabot/github_actions/file_parser.rb

@@ -112,9 +112,19 @@ def build_github_dependency(file, string)
       def github_dependency(file, string, hostname)
         details = T.must(string.match(GITHUB_REPO_REFERENCE)).named_captures
         repo_name = "#{details.fetch(OWNER_KEY)}/#{details.fetch(REPO_KEY)}"
+        path = details[PATH_KEY]
         ref = details.fetch(REF_KEY)
         version = version_class.new(ref).to_s if version_class.correct?(ref)
-        name = version_class.path_based?(ref) ? string : repo_name
+
+        # For reusable workflows (.github/workflows/*.yml), use the repository name + workflow path
+        # to distinguish between different workflow files in the same repository
+        name = if path&.match?(%r{/\.github/workflows/.*\.ya?ml$})
+                 "#{repo_name}#{path}"
+               elsif version_class.path_based?(ref)
+                 string
+               else
+                 repo_name
+               end
         Dependency.new(
           name: name,
           version: version,

github_actions/spec/dependabot/github_actions/file_parser_spec.rb

@@ -214,7 +214,7 @@ def mock_service_pack_request(nwo)
 
       it "has the right details" do
         expect(dependency).to be_a(Dependabot::Dependency)
-        expect(dependency.name).to eq("actions/checkout")
+        expect(dependency.name).to eq("actions/checkout/.github/workflows/test.yml")
         expect(dependency.version).to eq("2.1.0")
         expect(dependency.requirements).to eq(expected_requirements)
       end
@@ -228,6 +228,123 @@ def mock_service_pack_request(nwo)
       end
     end
 
+    describe "with multiple reusable workflows from the same repository" do
+      let(:workflow_file_fixture_name) { "workflow_multiple_reusable_workflows.yml" }
+
+      before do
+        mock_service_pack_request("dsp-testing/github-action-with-multiple-reusable-workflow-10619")
+      end
+
+      its(:length) { is_expected.to eq(2) }
+
+      describe "the first dependency (action-one.yml)" do
+        subject(:dependency) { dependencies.first }
+
+        let(:expected_requirements) do
+          [{
+            requirement: nil,
+            groups: [],
+            file: ".github/workflows/workflow.yml",
+            source: {
+              type: "git",
+              url: "https://github.com/dsp-testing/github-action-with-multiple-reusable-workflow-10619",
+              ref: "v1.0.0",
+              branch: nil
+            },
+            metadata: {
+              declaration_string: "dsp-testing/github-action-with-multiple-reusable-workflow-10619" \
+                                  "/.github/workflows/action-one.yml@v1.0.0"
+            }
+          }]
+        end
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).to eq(
+            "dsp-testing/github-action-with-multiple-reusable-workflow-10619" \
+            "/.github/workflows/action-one.yml"
+          )
+          expect(dependency.version).to eq("1.0.0")
+          expect(dependency.requirements).to eq(expected_requirements)
+        end
+      end
+
+      describe "the second dependency (action-two.yml)" do
+        subject(:dependency) { dependencies.last }
+
+        let(:expected_requirements) do
+          [{
+            requirement: nil,
+            groups: [],
+            file: ".github/workflows/workflow.yml",
+            source: {
+              type: "git",
+              url: "https://github.com/dsp-testing/github-action-with-multiple-reusable-workflow-10619",
+              ref: "v1.0.0",
+              branch: nil
+            },
+            metadata: {
+              declaration_string: "dsp-testing/github-action-with-multiple-reusable-workflow-10619" \
+                                  "/.github/workflows/action-two.yml@v1.0.0"
+            }
+          }]
+        end
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).to eq(
+            "dsp-testing/github-action-with-multiple-reusable-workflow-10619" \
+            "/.github/workflows/action-two.yml"
+          )
+          expect(dependency.version).to eq("1.0.0")
+          expect(dependency.requirements).to eq(expected_requirements)
+        end
+      end
+    end
+
+    describe "with reusable workflow using .yaml extension" do
+      let(:workflow_file_fixture_name) { "workflow_reusable_yaml_extension.yml" }
+
+      before do
+        mock_service_pack_request("dsp-testing/github-action-with-yaml-extension")
+      end
+
+      its(:length) { is_expected.to eq(1) }
+
+      describe "the dependency with .yaml extension" do
+        subject(:dependency) { dependencies.first }
+
+        let(:expected_requirements) do
+          [{
+            requirement: nil,
+            groups: [],
+            file: ".github/workflows/workflow.yml",
+            source: {
+              type: "git",
+              url: "https://github.com/dsp-testing/github-action-with-yaml-extension",
+              ref: "v1.0.0",
+              branch: nil
+            },
+            metadata: {
+              declaration_string:
+                "dsp-testing/github-action-with-yaml-extension" \
+                "/.github/workflows/action-test.yaml@v1.0.0"
+            }
+          }]
+        end
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).to eq(
+            "dsp-testing/github-action-with-yaml-extension" \
+            "/.github/workflows/action-test.yaml"
+          )
+          expect(dependency.version).to eq("1.0.0")
+          expect(dependency.requirements).to eq(expected_requirements)
+        end
+      end
+    end
+
     describe "with composite actions" do
       let(:workflow_file_fixture_name) { "composite_action.yml" }
       let(:workflow_files) do
@@ -410,7 +527,7 @@ def mock_service_pack_request(nwo)
 
         it "has the right details" do
           expect(dependency).to be_a(Dependabot::Dependency)
-          expect(dependency.name).to eq("actions/checkout")
+          expect(dependency.name).to eq("actions/checkout/.github/workflows/test.yml")
           expect(dependency.version).to eq("2.1.0")
           expect(dependency.requirements).to eq(expected_requirements)
         end

github_actions/spec/fixtures/workflow_files/workflow_multiple_reusable_workflows.yml

@@ -0,0 +1,9 @@
+on:
+  pull_request:
+
+jobs:
+  test-action-one:
+    uses: dsp-testing/github-action-with-multiple-reusable-workflow-10619/.github/workflows/action-one.yml@v1.0.0
+  
+  test-action-two:
+    uses: dsp-testing/github-action-with-multiple-reusable-workflow-10619/.github/workflows/action-two.yml@v1.0.0

github_actions/spec/fixtures/workflow_files/workflow_reusable_yaml_extension.yml

@@ -0,0 +1,6 @@
+on:
+  pull_request:
+
+jobs:
+  test-yaml-workflow:
+    uses: dsp-testing/github-action-with-yaml-extension/.github/workflows/action-test.yaml@v1.0.0