Merge branch 'main' into deivid-rodriguez/bundler-2.5.5

dependabot · Feb 22, 2024 · 144191e · 144191e
2 parents 690e992 + 1f8b176
commit 144191e
Show file tree

Hide file tree

Showing 176 changed files with 4,277 additions and 1,800 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -19,10 +19,10 @@
   // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
   "remoteUser": "vscode",
   "features": {
-    "ghcr.io/devcontainers/features/docker-from-docker": "latest",
+    "ghcr.io/devcontainers/features/docker-outside-of-docker": "latest",
     "ghcr.io/devcontainers/features/github-cli": "latest",
     "ghcr.io/devcontainers/features/node": "lts",
-    "ghcr.io/devcontainers/features/golang": "latest",
+    "ghcr.io/devcontainers/features/go": "latest",
     "ghcr.io/devcontainers/features/ruby": "3.1.4",
     "ghcr.io/devcontainers/features/rust": "latest",
     "ghcr.io/devcontainers/features/dotnet": "latest",

diff --git a/.github/workflows/images-branch.yml b/.github/workflows/images-branch.yml
@@ -73,15 +73,15 @@ jobs:
       contents: read
       packages: write
     env:
-      TAG: ${{ github.sha }}
+      DEPENDABOT_UPDATER_VERSION: ${{ github.sha }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Prepare tag
-        run: echo "TAG=${{ github.sha }}" >> $GITHUB_ENV
+        run: echo "DEPENDABOT_UPDATER_VERSION=${{ github.sha }}" >> $GITHUB_ENV
         if: github.event_name == 'pull_request'
 
       - name: Prepare tag (forks)
@@ -90,7 +90,7 @@ jobs:
           git fetch origin main
           git merge origin/main --ff-only || exit 1
           git submodule update --init --recursive
-          echo "TAG=$(git rev-parse HEAD)" >> $GITHUB_ENV
+          echo "DEPENDABOT_UPDATER_VERSION=$(git rev-parse HEAD)" >> $GITHUB_ENV
         if: github.event_name == 'workflow_dispatch'
 
       - name: Log in to GHCR
@@ -102,12 +102,12 @@ jobs:
 
       - name: Push branch image
         run: |
-          docker tag "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}" "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$TAG"
-          docker push "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$TAG"
+          docker tag "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}" "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION"
+          docker push "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION"
 
       - name: Set summary
         run: |
-          echo "updater uploaded with tag \`$TAG\`" >> $GITHUB_STEP_SUMMARY
+          echo "updater uploaded with tag \`$DEPENDABOT_UPDATER_VERSION\`" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
-          echo "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$TAG" >> $GITHUB_STEP_SUMMARY
+          echo "ghcr.io/dependabot/dependabot-updater-${{ matrix.suite.ecosystem }}:$DEPENDABOT_UPDATER_VERSION" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -335,6 +335,12 @@ Style/SelectByRegexp:
 Sorbet/TrueSigil:
   Exclude:
     - "**/spec/**/*"
+Sorbet/StrictSigil:
+  Exclude:
+    - "**/spec/**/*"
+Sorbet/StrongSigil:
+  Exclude:
+    - "**/spec/**/*"
 
 # TODO these were temporarily disabled during the Ruby 2.7 -> 3.1 upgrade
 # in order to keep the upgrade diff small, they will be enabled/fixed in

diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core
@@ -1,4 +1,6 @@
-FROM ubuntu:22.04
+FROM docker.io/library/ubuntu:22.04
+
+ARG TARGETARCH
 
 LABEL org.opencontainers.image.source="https://github.com/dependabot/dependabot-core"
 
@@ -52,7 +54,7 @@ COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME
 
 # Install Ruby from official Docker image
 # When bumping Ruby minor, need to also add the previous version to `bundler/helpers/v{1,2}/monkey_patches/definition_ruby_version_patch.rb`
-COPY --from=ruby:3.1.4-bookworm --chown=dependabot:dependabot /usr/local /usr/local
+COPY --from=docker.io/library/ruby:3.1.4-bookworm --chown=dependabot:dependabot /usr/local /usr/local
 
 # We had to explicitly bump this as the bundled version `0.2.2` in ubuntu 22.04 has a bug.
 # Once Ubuntu base image pulls in a new enough yaml version, we may not need to
@@ -72,7 +74,7 @@ ENV DEPENDABOT=true
 ENV GIT_LFS_SKIP_SMUDGE=1
 
 # Place a git shim ahead of git on the path to rewrite git arguments to use HTTPS.
-ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-amd64.tar.gz"
+ARG SHIM="https://github.com/dependabot/git-shim/releases/download/v1.4.0/git-v1.4.0-linux-${TARGETARCH}.tar.gz"
 RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar.gz -C ~/bin && rm git-shim.tar.gz
 
 COPY --chown=dependabot:dependabot omnibus omnibus
@@ -126,6 +128,8 @@ RUN gem install bundler -v $BUNDLER_V2_VERSION --no-document && \
 ENV PATH="$DEPENDABOT_HOME/bin:$PATH"
 ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
 
+ENV DEPENDABOT_UPDATER_VERSION=${DEPENDABOT_UPDATER_VERSION:-development}
+
 USER root
 
 CMD ["bin/run"]
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,19 +1,19 @@
 PATH
   remote: bundler
   specs:
-    dependabot-bundler (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-bundler (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: cargo
   specs:
-    dependabot-cargo (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-cargo (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: common
   specs:
-    dependabot-common (0.242.1)
+    dependabot-common (0.244.0)
       aws-sdk-codecommit (~> 1.28)
       aws-sdk-ecr (~> 1.5)
       bundler (>= 1.16, < 3.0.0)
@@ -35,107 +35,107 @@ PATH
 PATH
   remote: composer
   specs:
-    dependabot-composer (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-composer (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: devcontainers
   specs:
-    dependabot-devcontainers (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-devcontainers (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: docker
   specs:
-    dependabot-docker (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-docker (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: elm
   specs:
-    dependabot-elm (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-elm (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: git_submodules
   specs:
-    dependabot-git_submodules (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-git_submodules (0.244.0)
+      dependabot-common (= 0.244.0)
       parseconfig (~> 1.0, < 1.1.0)
 
 PATH
   remote: github_actions
   specs:
-    dependabot-github_actions (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-github_actions (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: go_modules
   specs:
-    dependabot-go_modules (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-go_modules (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: gradle
   specs:
-    dependabot-gradle (0.242.1)
-      dependabot-common (= 0.242.1)
-      dependabot-maven (= 0.242.1)
+    dependabot-gradle (0.244.0)
+      dependabot-common (= 0.244.0)
+      dependabot-maven (= 0.244.0)
 
 PATH
   remote: hex
   specs:
-    dependabot-hex (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-hex (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: maven
   specs:
-    dependabot-maven (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-maven (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: npm_and_yarn
   specs:
-    dependabot-npm_and_yarn (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-npm_and_yarn (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: nuget
   specs:
-    dependabot-nuget (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-nuget (0.244.0)
+      dependabot-common (= 0.244.0)
       rubyzip (>= 2.3.2, < 3.0)
 
 PATH
   remote: pub
   specs:
-    dependabot-pub (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-pub (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: python
   specs:
-    dependabot-python (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-python (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: silent
   specs:
-    dependabot-silent (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-silent (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: swift
   specs:
-    dependabot-swift (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-swift (0.244.0)
+      dependabot-common (= 0.244.0)
 
 PATH
   remote: terraform
   specs:
-    dependabot-terraform (0.242.1)
-      dependabot-common (= 0.242.1)
+    dependabot-terraform (0.244.0)
+      dependabot-common (= 0.244.0)
 
 GEM
   remote: https://rubygems.org/

diff --git a/bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb b/bundler/helpers/v2/monkey_patches/definition_ruby_version_patch.rb
@@ -6,7 +6,14 @@
 module BundlerDefinitionRubyVersionPatch
   def ruby_version
     super || begin
-      Bundler::RubyVersion.from_string(File.read(".ruby-version", chomp: true))
+      file_content = Bundler.read_file(".ruby-version")
+      ruby_version =
+        if /^ruby(-|\s+)([^\s#]+)/ =~ file_content
+          ::Regexp.last_match(2)
+        else
+          file_content.strip
+        end
+      Bundler::RubyVersion.new(ruby_version, nil, nil, nil) if ruby_version
     rescue SystemCallError
       # .ruby-version doesn't exist, fallback to the Ruby Dependabot runs
     end

diff --git a/bundler/helpers/v2/spec/ruby_version_spec.rb b/bundler/helpers/v2/spec/ruby_version_spec.rb
@@ -0,0 +1,40 @@
+# typed: false
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe BundlerDefinitionRubyVersionPatch do
+  include_context "in a temporary bundler directory"
+  include_context "stub rubygems compact index"
+
+  let(:project_name) { "ruby_version_implied" }
+  before do
+    @ui = Bundler.ui
+    Bundler.ui = Bundler::UI::Silent.new
+  end
+  after { Bundler.ui = @ui }
+
+  it "updates to the most recent version" do
+    in_tmp_folder do
+      File.delete(".ruby-version")
+      definition = Bundler::Definition.build("Gemfile", "Gemfile.lock", gems: ["statesman"])
+      definition.resolve_remotely!
+      specs = definition.resolve["statesman"]
+      expect(specs.size).to eq(1)
+      spec = specs.first
+      expect(spec.version).to eq("7.2.0")
+    end
+  end
+
+  it "doesn't update to a version that is not compatible with the Ruby version implied by .ruby-version" do
+    in_tmp_folder do
+      definition = Bundler::Definition.build("Gemfile", "Gemfile.lock", gems: ["statesman"])
+      definition.resolve_remotely!
+      specs = definition.resolve["statesman"]
+      expect(specs.size).to eq(1)
+      spec = specs.first
+      expect(spec.version).to eq("2.0.1")
+    end
+  end
+end
diff --git a/bundler/lib/dependabot/bundler/file_fetcher.rb b/bundler/lib/dependabot/bundler/file_fetcher.rb
@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -105,7 +105,7 @@ def ruby_version_file
       end
 
       def path_gemspecs
-        gemspec_files = []
+        gemspec_files = T.let([], T::Array[Dependabot::DependencyFile])
         unfetchable_gems = []
 
         path_gemspec_paths.each do |path|
@@ -152,6 +152,7 @@ def require_relative_files(files)
                .tap { |req_files| req_files.each { |f| f.support_file = true } }
       end
 
+      sig { params(dir_path: T.any(String, Pathname)).returns(T::Array[DependencyFile]) }
       def fetch_gemspecs_from_directory(dir_path)
         repo_contents(dir: dir_path, fetch_submodules: true)
           .select { |f| f.name.end_with?(".gemspec", ".specification") }

diff --git a/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/.ruby-version b/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/.ruby-version
@@ -0,0 +1 @@
+2.1.10
diff --git a/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/Gemfile b/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/Gemfile
@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+gem "business"
+gem "statesman"
diff --git a/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/Gemfile.lock b/bundler/spec/fixtures/projects/bundler2/ruby_version_implied/Gemfile.lock
@@ -0,0 +1,15 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    business (1.12.0)
+    statesman (2.0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  business
+  statesman
+
+BUNDLED WITH
+   2.5.3
diff --git a/cargo/Dockerfile b/cargo/Dockerfile
@@ -1,4 +1,4 @@
-FROM rust:1.75.0-bookworm as rust
+FROM docker.io/library/rust:1.75.0-bookworm as rust
 
 FROM ghcr.io/dependabot/dependabot-updater-core
 

diff --git a/common/lib/dependabot.rb b/common/lib/dependabot.rb
@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.242.1"
+  VERSION = "0.244.0"
 end