Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Grouped Updates #396

Merged
merged 6 commits into from
Jun 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ Subsequent actions will have access to the following outputs:
- If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).
- `steps.dependabot-metadata.outputs.maintainer-changes`
- Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
- `steps.dependabot-metadata.outputs.dependency-group`
- The dependency group that the PR is associated with (otherwise it is an empty string).
Comment on lines +87 to +88
Copy link
Contributor

@brrygrdn brrygrdn Jun 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for updating the README 👍🏻


**Note:** By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains
**only** Dependabot-created commits. To override, see `skip-commit-verification` / `skip-verification`.
Expand Down
9 changes: 7 additions & 2 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions src/dependabot/output.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ const baseDependency = {
newVersion: '',
compatScore: 0,
maintainerChanges: false,
dependencyGroup: '',
alertState: '',
ghsaId: '',
cvss: 0
Expand All @@ -38,6 +39,7 @@ test('when given a single dependency it sets its values', async () => {
newVersion: '1.1.3-beta',
compatScore: 43,
maintainerChanges: true,
dependencyGroup: '',
alertState: 'FIXED',
ghsaId: 'VERY_LONG_ID',
cvss: 4.6
Expand Down
3 changes: 3 additions & 0 deletions src/dependabot/output.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
const newVersion = firstDependency?.newVersion
const compatScore = firstDependency?.compatScore
const maintainerChanges = firstDependency?.maintainerChanges
const dependencyGroup = firstDependency?.dependencyGroup
const alertState = firstDependency?.alertState
const ghsaId = firstDependency?.ghsaId
const cvss = firstDependency?.cvss
Expand All @@ -43,6 +44,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
core.info(`outputs.new-version: ${newVersion}`)
core.info(`outputs.compatibility-score: ${compatScore}`)
core.info(`outputs.maintainer-changes: ${maintainerChanges}`)
core.info(`outputs.dependency-group: ${dependencyGroup}`)
core.info(`outputs.alert-state: ${alertState}`)
core.info(`outputs.ghsa-id: ${ghsaId}`)
core.info(`outputs.cvss: ${cvss}`)
Expand All @@ -59,6 +61,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
core.setOutput('new-version', newVersion)
core.setOutput('compatibility-score', compatScore)
core.setOutput('maintainer-changes', maintainerChanges)
core.setOutput('dependency-group', dependencyGroup)
core.setOutput('alert-state', alertState)
core.setOutput('ghsa-id', ghsaId)
core.setOutput('cvss', cvss)
Expand Down
50 changes: 50 additions & 0 deletions src/dependabot/update_metadata.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ test('it returns the updated dependency information when there is a yaml fragmen
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it supports multiple dependencies within a single fragment', async () => {
Expand Down Expand Up @@ -122,6 +123,8 @@ test('it supports multiple dependencies within a single fragment', async () => {
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
expect(updatedDependencies[0].dependencyGroup).toEqual('')

expect(updatedDependencies[1].dependencyName).toEqual('coffeescript')
expect(updatedDependencies[1].dependencyType).toEqual('indirect')
Expand All @@ -135,6 +138,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
expect(updatedDependencies[1].alertState).toEqual('')
expect(updatedDependencies[1].ghsaId).toEqual('')
expect(updatedDependencies[1].cvss).toEqual(0)
expect(updatedDependencies[1].dependencyGroup).toEqual('')
})

test('it returns the updated dependency information when there is a leading v in the commit message versions', async () => {
Expand Down Expand Up @@ -170,6 +174,50 @@ test('it returns the updated dependency information when there is a leading v in
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
expect(updatedDependencies[0].cvss).toEqual(4.6)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it supports returning information about grouped updates', async () => {
const commitMessage =
'Bumps the docker group with 3 updates: [github.com/docker/cli](https://github.com/docker/cli), [github.com/docker/docker](https://github.com/docker/docker) and [github.com/moby/moby](https://github.com/moby/moby).\n' +
'\n' +
'Updates `github.com/docker/cli` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Commits](docker/cli@v24.0.1...v24.0.2)\n' +
'\n' +
'Updates `github.com/docker/docker` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Release notes](https://github.com/docker/docker/releases)\n' +
'- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
'\n' +
'Updates `github.com/moby/moby` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
'- [Release notes](https://github.com/moby/moby/releases)\n' +
'- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
'\n' +
'---\n' +
'updated-dependencies:\n' +
'- dependency-name: github.com/docker/cli\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'- dependency-name: github.com/docker/docker\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'- dependency-name: github.com/moby/moby\n' +
' dependency-type: direct:production\n' +
' update-type: version-update:semver-patch\n' +
' dependency-group: docker\n' +
'...\n' +
'\n' +
'Signed-off-by: dependabot[bot] <support@github.com>\n'

const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
const getScore = async () => Promise.resolve(43)
const updatedDependencies = await updateMetadata.parse(commitMessage, '', 'dependabot/docker/gh-base-image/docker-1234566789', 'main', getAlert, getScore)

expect(updatedDependencies).toHaveLength(3)

expect(updatedDependencies[0].dependencyName).toEqual('github.com/docker/cli')
expect(updatedDependencies[0].dependencyGroup).toEqual('docker')
})

test('it only returns information within the first fragment if there are multiple yaml documents', async () => {
Expand Down Expand Up @@ -211,6 +259,7 @@ test('it only returns information within the first fragment if there are multipl
expect(updatedDependencies[0].alertState).toEqual('')
expect(updatedDependencies[0].ghsaId).toEqual('')
expect(updatedDependencies[0].cvss).toEqual(0)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('it properly handles dependencies which contain slashes', async () => {
Expand Down Expand Up @@ -247,6 +296,7 @@ test('it properly handles dependencies which contain slashes', async () => {
expect(updatedDependencies[0].alertState).toEqual('')
expect(updatedDependencies[0].ghsaId).toEqual('')
expect(updatedDependencies[0].cvss).toEqual(0)
expect(updatedDependencies[0].dependencyGroup).toEqual('')
})

test('calculateUpdateType should handle all paths', () => {
Expand Down
6 changes: 5 additions & 1 deletion src/dependabot/update_metadata.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ export interface updatedDependency extends dependencyAlert {
prevVersion: string,
newVersion: string,
compatScore: number,
maintainerChanges: boolean
maintainerChanges: boolean,
dependencyGroup: string
}

export interface alertLookup {
Expand All @@ -31,6 +32,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>v?\d[^ ]*) to (?<to>v?\d[^ ]*)\.$/m)
const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>v?\d\S*) to \S*? ?(?<to>v?\d\S*)$/m)
const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
const groupName = commitMessage.match(/dependency-group:\s(?<name>\S*)/m)
const newMaintainer = !!body.match(/Maintainer changes/m)
const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
const scoreFn = getScore ?? (() => Promise.resolve(0))
Expand All @@ -43,6 +45,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
const chunks = branchName.split(delim)
const prev = bumpFragment?.groups?.from ?? (updateFragment?.groups?.from ?? '')
const next = bumpFragment?.groups?.to ?? (updateFragment?.groups?.to ?? '')
const dependencyGroup = groupName?.groups?.name ?? ''

if (data['updated-dependencies']) {
return await Promise.all(data['updated-dependencies'].map(async (dependency, index) => {
Expand All @@ -61,6 +64,7 @@ export async function parse (commitMessage: string, body: string, branchName: st
newVersion: nextVersion,
compatScore: await scoreFn(dependency['dependency-name'], lastVersion, nextVersion, chunks[1]),
maintainerChanges: newMaintainer,
dependencyGroup: dependencyGroup,
...await lookupFn(dependency['dependency-name'], lastVersion, dirname)
}
}))
Expand Down
Loading