Skip to content

Commit

Permalink
Merge pull request #396 from dependabot/nishnha/grouped-updates-support
Browse files Browse the repository at this point in the history
Support for Grouped Updates
  • Loading branch information
Nishnha authored Jun 27, 2023
2 parents 73e8a46 + 11c0ea4 commit 62c4c8d
Show file tree
Hide file tree
Showing 7 changed files with 187 additions and 3 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ Subsequent actions will have access to the following outputs:
- If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).
- `steps.dependabot-metadata.outputs.maintainer-changes`
- Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
- `steps.dependabot-metadata.outputs.dependency-group`
- The dependency group that the PR is associated with (otherwise it is an empty string).

**Note:** By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains
**only** Dependabot-created commits. To override, see `skip-commit-verification` / `skip-verification`.
Expand Down
9 changes: 7 additions & 2 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions src/dependabot/output.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const baseDependency = {
newVersion: '',
compatScore: 0,
maintainerChanges: false,
dependencyGroup: '',
alertState: '',
ghsaId: '',
cvss: 0
Expand All @@ -38,6 +39,7 @@ test('when given a single dependency it sets its values', async () => {
newVersion: '1.1.3-beta',
compatScore: 43,
maintainerChanges: true,
dependencyGroup: '',
alertState: 'FIXED',
ghsaId: 'VERY_LONG_ID',
cvss: 4.6
Expand Down
3 changes: 3 additions & 0 deletions src/dependabot/output.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
const newVersion = firstDependency?.newVersion
const compatScore = firstDependency?.compatScore
const maintainerChanges = firstDependency?.maintainerChanges
const dependencyGroup = firstDependency?.dependencyGroup
const alertState = firstDependency?.alertState
const ghsaId = firstDependency?.ghsaId
const cvss = firstDependency?.cvss
Expand All @@ -43,6 +44,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
core.info(`outputs.new-version: ${newVersion}`)
core.info(`outputs.compatibility-score: ${compatScore}`)
core.info(`outputs.maintainer-changes: ${maintainerChanges}`)
core.info(`outputs.dependency-group: ${dependencyGroup}`)
core.info(`outputs.alert-state: ${alertState}`)
core.info(`outputs.ghsa-id: ${ghsaId}`)
core.info(`outputs.cvss: ${cvss}`)
Expand All @@ -59,6 +61,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
core.setOutput('new-version', newVersion)
core.setOutput('compatibility-score', compatScore)
core.setOutput('maintainer-changes', maintainerChanges)
core.setOutput('dependency-group', dependencyGroup)
core.setOutput('alert-state', alertState)
core.setOutput('ghsa-id', ghsaId)
core.setOutput('cvss', cvss)
Expand Down
50 changes: 50 additions & 0 deletions src/dependabot/update_metadata.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ test('it returns the updated dependency information when there is a yaml fragmen
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it supports multiple dependencies within a single fragment', async () => {
Expand Down Expand Up @@ -122,6 +123,8 @@ test('it supports multiple dependencies within a single fragment', async () => {
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
expect(updatedDependencies[0].dependencyGroup).toEqual('')

expect(updatedDependencies[1].dependencyName).toEqual('coffeescript')
expect(updatedDependencies[1].dependencyType).toEqual('indirect')
Expand All @@ -135,6 +138,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
expect(updatedDependencies[1].alertState).toEqual('')
expect(updatedDependencies[1].ghsaId).toEqual('')
expect(updatedDependencies[1].cvss).toEqual(0)
expect(updatedDependencies[1].dependencyGroup).toEqual('')
})

test('it returns the updated dependency information when there is a leading v in the commit message versions', async () => {
Expand Down Expand Up @@ -170,6 +174,50 @@ test('it returns the updated dependency information when there is a leading v in
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it supports returning information about grouped updates', async () => {
const commitMessage =
'Bumps the docker group with 3 updates: [github.com/docker/cli](https://github.com/docker/cli), [github.com/docker/docker](https://github.com/docker/docker) and [github.com/moby/moby](https://github.com/moby/moby).\n' +
'\n' +
'Updates `github.com/docker/cli` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Commits](docker/cli@v24.0.1...v24.0.2)\n' +
'\n' +
'Updates `github.com/docker/docker` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Release notes](https://github.com/docker/docker/releases)\n' +
'- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
'\n' +
'Updates `github.com/moby/moby` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Release notes](https://github.com/moby/moby/releases)\n' +
'- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
'\n' +
'---\n' +
'updated-dependencies:\n' +
'- dependency-name: github.com/docker/cli\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'- dependency-name: github.com/docker/docker\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'- dependency-name: github.com/moby/moby\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'...\n' +
'\n' +
'Signed-off-by: dependabot[bot] <support@github.com>\n'

const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
const getScore = async () => Promise.resolve(43)
const updatedDependencies = await updateMetadata.parse(commitMessage, '', 'dependabot/docker/gh-base-image/docker-1234566789', 'main', getAlert, getScore)

expect(updatedDependencies).toHaveLength(3)

expect(updatedDependencies[0].dependencyName).toEqual('github.com/docker/cli')
expect(updatedDependencies[0].dependencyGroup).toEqual('docker')
})

test('it only returns information within the first fragment if there are multiple yaml documents', async () => {
Expand Down Expand Up @@ -211,6 +259,7 @@ test('it only returns information within the first fragment if there are multipl
expect(updatedDependencies[0].alertState).toEqual('')
expect(updatedDependencies[0].ghsaId).toEqual('')
expect(updatedDependencies[0].cvss).toEqual(0)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it properly handles dependencies which contain slashes', async () => {
Expand Down Expand Up @@ -247,6 +296,7 @@ test('it properly handles dependencies which contain slashes', async () => {
expect(updatedDependencies[0].alertState).toEqual('')
expect(updatedDependencies[0].ghsaId).toEqual('')
expect(updatedDependencies[0].cvss).toEqual(0)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('calculateUpdateType should handle all paths', () => {
Expand Down
6 changes: 5 additions & 1 deletion src/dependabot/update_metadata.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ export interface updatedDependency extends dependencyAlert {
prevVersion: string,
newVersion: string,
compatScore: number,
maintainerChanges: boolean
maintainerChanges: boolean,
dependencyGroup: string
}

export interface alertLookup {
Expand All @@ -31,6 +32,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>v?\d[^ ]*) to (?<to>v?\d[^ ]*)\.$/m)
const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>v?\d\S*) to \S*? ?(?<to>v?\d\S*)$/m)
const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
const groupName = commitMessage.match(/dependency-group:\s(?<name>\S*)/m)
const newMaintainer = !!body.match(/Maintainer changes/m)
const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
const scoreFn = getScore ?? (() => Promise.resolve(0))
Expand All @@ -43,6 +45,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
const chunks = branchName.split(delim)
const prev = bumpFragment?.groups?.from ?? (updateFragment?.groups?.from ?? '')
const next = bumpFragment?.groups?.to ?? (updateFragment?.groups?.to ?? '')
const dependencyGroup = groupName?.groups?.name ?? ''

if (data['updated-dependencies']) {
return await Promise.all(data['updated-dependencies'].map(async (dependency, index) => {
Expand All @@ -61,6 +64,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
newVersion: nextVersion,
compatScore: await scoreFn(dependency['dependency-name'], lastVersion, nextVersion, chunks[1]),
maintainerChanges: newMaintainer,
dependencyGroup: dependencyGroup,
...await lookupFn(dependency['dependency-name'], lastVersion, dirname)
}
}))
Expand Down
Loading

0 comments on commit 62c4c8d

Please sign in to comment.