Merge branch 'main' into harry/add-support-callable-workflows

Author: thavaahariharangit

.github/copilot-instructions.md

@@ -159,15 +159,65 @@ bundle exec srb tc path/to/file.rb
 bundle exec srb tc -a path/to/file.rb
 ```
 
-**Important**: Sorbet's autocorrect feature (`-a` flag) should be used cautiously as it can cause more issues than it resolves. Only use autocorrect when you have high confidence that the changes will not break code functionality. 
+**Important**: Sorbet's autocorrect feature (`-a` flag) should be used cautiously as it can cause more issues than it resolves. Only use autocorrect when you have high confidence that the changes will not break code functionality.
 
 Autocorrect can handle some simple cases like:
-- Adding missing `override.` annotations for method overrides  
+- Adding missing `override.` annotations for method overrides
 - Adding `T.let` declarations for instance variables in strict-typed files
 - Adding type annotations for constants
 
 However, autocorrect often creates incorrect fixes for complex type mismatches, method signature issues, and structural problems. **Always manually resolve Sorbet errors** rather than relying on autocorrect, and carefully review any autocorrected changes to ensure they maintain code correctness and intent.
 
+### Code Comments and Documentation
+
+**Prioritize self-documenting code over comments**. Write clear, intention-revealing code with descriptive method and variable names that eliminate the need for explanatory comments.
+
+**When to use comments**:
+- **Business logic context**: Explain *why* something is done when the reason isn't obvious from the code
+- **Complex algorithms**: Document the approach or mathematical concepts
+- **Workarounds**: Explain why a non-obvious solution was necessary
+- **External constraints**: Document API limitations, system requirements, or ecosystem-specific behaviors
+- **TODO/FIXME**: Temporary markers for future improvements (with issue references when possible)
+
+**Avoid these comment types**:
+- **Implementation decisions**: Don't explain what was *not* implemented or alternative approaches considered
+- **Obvious code explanations**: Don't restate what the code clearly does
+- **Apologies or justifications**: Comments defending coding choices suggest code quality issues
+- **Outdated information**: Remove comments that no longer apply to current implementation
+- **Version history**: Use git history instead of inline change logs
+
+**Comment style guidelines**:
+```ruby
+# Good: Explains WHY, adds business context
+# Retry failed requests up to 3 times due to GitHub API rate limiting
+retry_count = 3
+
+# Bad: Explains WHAT the code does (obvious from code)
+# Set retry count to 3
+retry_count = 3
+
+# Good: Documents external constraint
+# GitHub API requires User-Agent header or returns 403
+headers['User-Agent'] = 'Dependabot/1.0'
+
+# Bad: Implementation decision discussion
+# We decided not to cache this because it would complicate the code
+# and other ecosystems don't do caching here either
+response = fetch_data(url)
+```
+
+**Prefer code refactoring over explanatory comments**:
+```ruby
+# Instead of commenting complex logic:
+# Calculate the SHA256 of downloaded file for security verification
+digest = Digest::SHA256.hexdigest(response.body)
+
+# Extract to a well-named method:
+def calculate_security_checksum(content)
+  Digest::SHA256.hexdigest(content)
+end
+```
+
 ### Native Helpers
 
 Many ecosystems use native language helpers (Go, Node.js, Python) located in `{ecosystem}/helpers/`. These helpers run exclusively within containers and changes require rebuilding:
@@ -263,6 +313,62 @@ bin/dry-run.rb {ecosystem} {repo} --profile
 
 When implementing new ecosystems or modifying existing ones, always ensure the 7 core classes are implemented and follow the established inheritance patterns from `dependabot-common`.
 
+## Core Class Structure Pattern
+
+**CRITICAL**: All Dependabot core classes with nested helper classes must follow the exact pattern to avoid "superclass mismatch" errors. This pattern is used consistently across all established ecosystems (bundler, npm_and_yarn, go_modules, etc.).
+
+### Main Class Structure (applies to FileFetcher, FileParser, FileUpdater, UpdateChecker, etc.)
+```ruby
+# {ecosystem}/lib/dependabot/{ecosystem}/file_updater.rb (or file_fetcher.rb, file_parser.rb, etc.)
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module {Ecosystem}
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      # require_relative statements go INSIDE the class
+      require_relative "file_updater/helper_class"
+
+      # Main logic here...
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("{ecosystem}", Dependabot::{Ecosystem}::FileUpdater)
+```
+
+### Helper Class Structure
+```ruby
+# {ecosystem}/lib/dependabot/{ecosystem}/file_updater/helper_class.rb
+require "dependabot/{ecosystem}/file_updater"
+
+module Dependabot
+  module {Ecosystem}
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class HelperClass
+        # Helper logic nested INSIDE the main class
+      end
+    end
+  end
+end
+```
+
+### Key Rules:
+1. **Main classes** inherit from appropriate base: `Dependabot::FileUpdaters::Base`, `Dependabot::FileFetchers::Base`, etc.
+2. **Helper classes** are nested inside the main class
+3. **require_relative** statements go INSIDE the main class, not at module level
+4. **Helper classes require the main file** first: `require "dependabot/{ecosystem}/file_updater"`
+5. **Never define multiple top-level classes** with same name in the same namespace
+6. **Backward compatibility** can use static methods that delegate to instance methods
+
+### Applies To:
+- **FileFetcher** and its helpers (e.g., `FileFetcher::GitCommitChecker`)
+- **FileParser** and its helpers (e.g., `FileParser::ManifestParser`)
+- **FileUpdater** and its helpers (e.g., `FileUpdater::LockfileUpdater`)
+- **UpdateChecker** and its helpers (e.g., `UpdateChecker::VersionResolver`)
+- **MetadataFinder** and its helpers
+- **Version** and **Requirement** classes (if they have nested classes)
+
 ## Adding New Ecosystems
 
 If you are adding a new ecosystem, follow the detailed guide in `./NEW_ECOSYSTEMS.md` which provides step-by-step instructions for implementing a new package manager ecosystem.

bazel/lib/dependabot/bazel.rb

@@ -3,12 +3,13 @@
 
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
-require "dependabot/bazel/language"
-require "dependabot/bazel/package_manager"
 require "dependabot/bazel/file_fetcher"
 require "dependabot/bazel/file_parser"
 require "dependabot/bazel/update_checker"
 require "dependabot/bazel/file_updater"
+
+require "dependabot/bazel/language"
+require "dependabot/bazel/package_manager"
 require "dependabot/bazel/metadata_finder"
 require "dependabot/bazel/version"
 require "dependabot/bazel/requirement"

common/lib/dependabot/dependency_graphers/base.rb

@@ -31,13 +31,17 @@ class Base
       sig { returns(T::Boolean) }
       attr_reader :prepared
 
+      sig { returns(T::Boolean) }
+      attr_reader :errored_fetching_subdependencies
+
       sig do
         params(file_parser: Dependabot::FileParsers::Base).void
       end
       def initialize(file_parser:)
         @file_parser = file_parser
         @dependencies = T.let([], T::Array[Dependabot::Dependency])
         @prepared = T.let(false, T::Boolean)
+        @errored_fetching_subdependencies = T.let(false, T::Boolean)
       end
 
       # Each grapher must implement a heuristic to determine which dependency file should be used as the owner
@@ -65,7 +69,7 @@ def resolved_dependencies
             package_url: build_purl(dep),
             direct: dep.top_level?,
             runtime: dep.production?,
-            dependencies: fetch_subdependencies(dep)
+            dependencies: safe_fetch_subdependencies(dep)
           )
         end
       end
@@ -80,6 +84,17 @@ def dependency_files
         file_parser.dependency_files
       end
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def safe_fetch_subdependencies(dependency)
+        return [] if @errored_fetching_subdependencies
+
+        fetch_subdependencies(dependency)
+      rescue StandardError => e
+        @errored_fetching_subdependencies = true
+        Dependabot.logger.error("Error fetching subdependencies: #{e.message}")
+        []
+      end
+
       # Each grapher is expected to implement a method to look up the parents of a given dependency.
       #
       # The strategy that should be used is highly dependent on the ecosystem, in some cases the parser

common/lib/dependabot/file_updaters/base.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 
 require "dependabot/credential"
+require "dependabot/notices"
 
 module Dependabot
   module FileUpdaters
@@ -52,6 +53,11 @@ def updated_dependency_files
         raise NotImplementedError
       end
 
+      sig { overridable.returns(T::Array[Dependabot::Notice]) }
+      def notices
+        []
+      end
+
       private
 
       sig { overridable.void }

gradle/lib/dependabot/gradle/distributions.rb

@@ -0,0 +1,20 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Gradle
+    module Distributions
+      extend T::Sig
+
+      DISTRIBUTION_REPOSITORY_URL = "https://services.gradle.org"
+      DISTRIBUTION_DEPENDENCY_TYPE = "gradle-distribution"
+
+      sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Boolean) }
+      def self.distribution_requirements?(requirements)
+        requirements.any? do |req|
+          req.dig(:source, :type) == DISTRIBUTION_DEPENDENCY_TYPE
+        end
+      end
+    end
+  end
+end

gradle/lib/dependabot/gradle/file_fetcher.rb

@@ -24,6 +24,13 @@ class FileFetcher < Dependabot::FileFetchers::Base
       SUPPORTED_SETTINGS_FILE_NAMES =
         T.let(%w(settings.gradle settings.gradle.kts).freeze, T::Array[String])
 
+      SUPPORTED_WRAPPER_FILES_PATH = %w(
+        gradlew
+        gradlew.bat
+        gradle/wrapper/gradle-wrapper.jar
+        gradle/wrapper/gradle-wrapper.properties
+      ).freeze
+
       # For now Gradle only supports library .toml files in the main gradle folder
       SUPPORTED_VERSION_CATALOG_FILE_PATH =
         T.let(%w(/gradle/libs.versions.toml).freeze, T::Array[String])
@@ -76,6 +83,7 @@ def fetch_files
       def all_buildfiles_in_build(root_dir)
         files = [buildfile(root_dir), settings_file(root_dir), version_catalog_file(root_dir), lockfile(root_dir)]
                 .compact
+        files += wrapper_files(root_dir)
         files += subproject_buildfiles(root_dir)
         files += subproject_lockfiles(root_dir)
         files += dependency_script_plugins(root_dir)
@@ -172,6 +180,25 @@ def subproject_buildfiles(root_dir)
         end
       end
 
+      sig { params(dir: String).returns(T::Array[DependencyFile]) }
+      def wrapper_files(dir)
+        return [] unless Experiments.enabled?(:gradle_wrapper_updater)
+
+        SUPPORTED_WRAPPER_FILES_PATH.filter_map do |filename|
+          file = fetch_file_if_present(File.join(dir, filename))
+          next unless file
+
+          if file.name.end_with?(".jar")
+            file.content = Base64.encode64(T.must(file.content)) if file.content
+            file.content_encoding = DependencyFile::ContentEncoding::BASE64
+          end
+          file
+        rescue Dependabot::DependencyFileNotFound
+          # Gradle itself doesn't worry about missing subprojects, so we don't
+          nil
+        end
+      end
+
       sig { params(root_dir: String).returns(T.nilable(DependencyFile)) }
       def version_catalog_file(root_dir)
         return nil unless root_dir == "."

gradle/lib/dependabot/gradle/file_parser.rb

@@ -25,6 +25,7 @@ class FileParser < Dependabot::FileParsers::Base # rubocop:disable Metrics/Class
       extend T::Sig
 
       require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/distributions_finder"
       require_relative "file_parser/property_value_finder"
 
       SUPPORTED_BUILD_FILE_NAMES = T.let(
@@ -59,6 +60,11 @@ def parse
         script_plugin_files.each do |plugin_file|
           dependency_set += buildfile_dependencies(plugin_file)
         end
+        if Experiments.enabled?(:gradle_wrapper_updater)
+          wrapper_properties_file.each do |properties_file|
+            dependency_set += wrapper_properties_dependencies(properties_file)
+          end
+        end
         version_catalog_file.each do |toml_file|
           dependency_set += version_catalog_dependencies(toml_file)
         end
@@ -119,6 +125,14 @@ def language
         )
       end
 
+      sig { params(properties_file: Dependabot::DependencyFile).returns(DependencySet) }
+      def wrapper_properties_dependencies(properties_file)
+        dependency_set = DependencySet.new
+        dependency = DistributionsFinder.resolve_dependency(properties_file)
+        dependency_set << dependency if dependency
+        dependency_set
+      end
+
       sig { params(toml_file: Dependabot::DependencyFile).returns(DependencySet) }
       def version_catalog_dependencies(toml_file)
         dependency_set = DependencySet.new
@@ -544,6 +558,14 @@ def buildfiles
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def wrapper_properties_file
+        @wrapper_properties_file ||= T.let(
+          dependency_files.select { |f| f.name.end_with?("gradle-wrapper.properties") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def version_catalog_file
         @version_catalog_file ||= T.let(