merge

extension/package.json

@@ -25,14 +25,14 @@
   },
   "homepage": "https://github.com/tinglesoftware/dependabot-azure-devops#readme",
   "dependencies": {
-    "axios": "1.7.3",
-    "azure-pipelines-task-lib": "4.15.0",
+    "axios": "1.7.4",
+    "azure-pipelines-task-lib": "4.16.0",
     "js-yaml": "4.1.0"
   },
   "devDependencies": {
     "@types/jest": "29.5.12",
     "@types/js-yaml": "4.0.9",
-    "@types/node": "22.2.0",
+    "@types/node": "22.4.0",
     "@types/q": "1.5.8",
     "jest": "29.7.0",
     "ts-jest": "29.2.4",

server/Tingle.Dependabot.Tests/Tingle.Dependabot.Tests.csproj

@@ -12,8 +12,8 @@
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.2" PrivateAssets="All" />
     <PackageReference Include="MartinCostello.Logging.XUnit" Version="0.4.0" />
-    <PackageReference Include="Microsoft.AspNetCore.TestHost" Version="8.0.7" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.7" />
+    <PackageReference Include="Microsoft.AspNetCore.TestHost" Version="8.0.8" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.8" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
     <PackageReference Include="xunit" Version="2.9.0" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" PrivateAssets="All" />

server/Tingle.Dependabot/Tingle.Dependabot.csproj

@@ -17,34 +17,34 @@
   <ItemGroup>
     <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="8.0.1" />
     <PackageReference Include="AspNetCore.Authentication.Basic" Version="8.0.0" />
-    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.3" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.4" />
     <PackageReference Include="Azure.Identity" Version="1.12.0" />
     <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.1" /> <!-- Allows for faster updates -->
     <PackageReference Include="Azure.Monitor.Query" Version="1.4.0" />
     <PackageReference Include="Azure.ResourceManager.AppContainers" Version="1.2.0" />
     <PackageReference Include="DistributedLock.FileSystem" Version="1.0.2" />
     <PackageReference Include="Macross.Json.Extensions" Version="3.0.0" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.7" />
-    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.7" />
-    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.7" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="8.0.8" />
     <PackageReference Include="Microsoft.Azure.AppConfiguration.AspNetCore" Version="7.3.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.7" />
-    <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore" Version="8.0.7" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.8" />
+    <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks.EntityFrameworkCore" Version="8.0.8" />
     <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.5.0" />
     <PackageReference Include="System.Linq.Async" Version="6.0.1" />
-    <PackageReference Include="Tingle.EventBus.Transports.Azure.ServiceBus" Version="0.22.1" />
-    <PackageReference Include="Tingle.EventBus.Transports.InMemory" Version="0.22.1" />
-    <PackageReference Include="Tingle.Extensions.DataAnnotations" Version="4.11.2" />
-    <PackageReference Include="Tingle.Extensions.Primitives" Version="4.11.2" />
-    <PackageReference Include="Tingle.Extensions.Serilog" Version="4.11.2" />
-    <PackageReference Include="Tingle.PeriodicTasks" Version="1.5.0" />
+    <PackageReference Include="Tingle.EventBus.Transports.Azure.ServiceBus" Version="0.22.2" />
+    <PackageReference Include="Tingle.EventBus.Transports.InMemory" Version="0.22.2" />
+    <PackageReference Include="Tingle.Extensions.DataAnnotations" Version="4.13.0" />
+    <PackageReference Include="Tingle.Extensions.Primitives" Version="4.13.0" />
+    <PackageReference Include="Tingle.Extensions.Serilog" Version="4.13.0" />
+    <PackageReference Include="Tingle.PeriodicTasks" Version="1.5.1" />
     <PackageReference Include="YamlDotNet" Version="16.0.0" />
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.7" PrivateAssets="All" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="8.0.8" PrivateAssets="All" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" PrivateAssets="All" />
   </ItemGroup>
 

updater/Gemfile

@@ -21,7 +21,7 @@ gem "opentelemetry-instrumentation-faraday", "~> 0.24"
 gem "opentelemetry-instrumentation-http", "~> 0.23"
 gem "opentelemetry-instrumentation-net_http", "~> 0.22"
 gem "opentelemetry-sdk", "~> 1.5"
-gem "sentry-opentelemetry", "~> 5.18"
+gem "sentry-opentelemetry", "~> 5.19"
 gem "sentry-ruby", "~> 5.17"
 gem "terminal-table", "~> 3.0.2"
 

updater/Gemfile.lock

@@ -23,7 +23,7 @@ GEM
     bigdecimal (3.1.8)
     citrus (3.0.2)
     commonmarker (0.23.10)
-    concurrent-ruby (1.3.3)
+    concurrent-ruby (1.3.4)
     crack (1.0.0)
       bigdecimal
       rexml
@@ -327,10 +327,10 @@ GEM
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    sentry-opentelemetry (5.18.2)
+    sentry-opentelemetry (5.19.0)
       opentelemetry-sdk (~> 1.0)
-      sentry-ruby (~> 5.18.2)
-    sentry-ruby (5.18.2)
+      sentry-ruby (~> 5.19.0)
+    sentry-ruby (5.19.0)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
     simplecov (0.22.0)
@@ -397,7 +397,7 @@ DEPENDENCIES
   rubocop-performance (~> 1.21.0)
   rubocop-rspec (~> 2.29.1)
   rubocop-sorbet (~> 0.8.1)
-  sentry-opentelemetry (~> 5.18)
+  sentry-opentelemetry (~> 5.19)
   sentry-ruby (~> 5.17)
   simplecov (~> 0.22.0)
   terminal-table (~> 3.0.2)

updater/bin/update_script_vnext.rb

@@ -15,14 +15,7 @@
 
 begin
   TingleSoftware::Dependabot::Commands::UpdateAllDependenciesSynchronousCommand.new(
-    job: TingleSoftware::Dependabot::Job.new(
-      # Override Dependabot updater options (feature flags) required by this job
-      experiments: {
-        # Required for correctly detecting existing PRs when refreshing group dependency updates.
-        # Without this, Dependabot::DependencyGroup.matches_existing_pr? will always return false for group updates.
-        "dependency_has_directory" => true
-      }
-    )
+    job: TingleSoftware::Dependabot::Job.new
   ).run
 rescue ::Dependabot::RunFailure
   exit 1

updater/lib/tinglesoftware/dependabot/api_clients/azure_api_client.rb

@@ -426,8 +426,8 @@ def pull_request_updated_dependencies_property_data(dependency_change)
             {
               "dependency-name" => dep.name,
               "dependency-version" => dep.version,
-              "directory" => dependency_change.grouped_update? ? dep.directory : nil,
-              "dependency-removed" => dep.removed? ? true : nil
+              "dependency-removed" => dep.removed? ? true : nil,
+              "directory" => dep.directory
             }.compact
           end
           if dependency_change.grouped_update?

updater/lib/tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command.rb

@@ -74,29 +74,31 @@ def log_what_we_found
 
         def log_found_dependency_files
           ::Dependabot.logger.info(
-            "Found #{dependency_files.count} #{job.package_manager} dependency reference files:"
+            "Found #{dependency_snapshot.all_dependency_files.count} #{job.package_manager} dependency reference files:"
           )
-          dependency_files.select.each do |f|
+          dependency_snapshot.all_dependency_files.select.each do |f|
             ::Dependabot.logger.info(" - #{f.directory}#{File::SEPARATOR}#{f.name}")
           end
         end
 
         def log_found_dependencies
           ::Dependabot.logger.info(
-            "Found #{dependency_snapshot.dependencies.count(&:top_level?)} top-level dependencies:"
+            "Found #{dependency_snapshot.all_dependencies.count(&:top_level?)} top-level dependencies:"
           )
-          dependency_snapshot.dependencies.select(&:top_level?).each do |d|
+          dependency_snapshot.all_dependencies.select(&:top_level?).each do |d|
             ::Dependabot.logger.info(" - #{d.name} (#{d.version}) #{job.vulnerable?(d) ? '(VULNERABLE!)' : ''}")
           end
           ::Dependabot.logger.info(
-            "Found #{dependency_snapshot.dependencies.count { |d| !d.top_level? }} transitive dependencies:"
+            "Found #{dependency_snapshot.all_dependencies.count { |d| !d.top_level? }} transitive dependencies:"
           )
-          dependency_snapshot.dependencies.reject(&:top_level?).each do |d|
+          dependency_snapshot.all_dependencies.reject(&:top_level?).each do |d|
             ::Dependabot.logger.info(" - #{d.name} (#{d.version}) #{job.vulnerable?(d) ? '(VULNERABLE!)' : ''}")
           end
         end
 
         def log_found_dependency_groups
+          return unless dependency_snapshot.groups.any?
+
           ::Dependabot.logger.info(
             "Found #{dependency_snapshot.groups.count} dependency group(s):"
           )
@@ -107,6 +109,8 @@ def log_found_dependency_groups
         end
 
         def log_found_open_pull_requests
+          return unless job.open_pull_requests.any?
+
           ::Dependabot.logger.info("Found #{job.open_pull_requests.count} open pull requests(s):")
           job.open_pull_requests.select.each do |pr|
             ::Dependabot.logger.info(" - ##{pr['pullRequestId']}: #{pr['title']}")
@@ -128,7 +132,7 @@ def update_all_existing_pull_requests # rubocop:disable Metrics/PerceivedComplex
             # Refocus our job towards updating this single PR, using the CURRENT snapshot of the dependecneis
             job.for_pull_request_update(
               dependency_group_name: dependency_group_name,
-              dependency_names: dependency_snapshot.dependencies
+              dependency_names: dependency_snapshot.all_dependencies
                 .select { |d| dependency_names.include?(d.name) }
                 .select { |d| job.allowed_update?(d) }
                 .map(&:name)
@@ -156,7 +160,7 @@ def update_all_dependencies
         end
 
         def dependencies_allowed_to_update
-          dependency_snapshot.dependencies.select { |d| job.allowed_update?(d) }
+          dependency_snapshot.all_dependencies.select { |d| job.allowed_update?(d) }
         end
 
         def run_updates_for(job)
@@ -222,19 +226,52 @@ def create_file_fetcher(directory: nil)
           ::Dependabot::FileFetchers.for_package_manager(job.package_manager).new(**args)
         end
 
-        def dependency_files
-          @dependency_files ||= (job.source.directories || [job.source.directory]).flat_map do |dir|
-            ::Dependabot.logger.info(
-              "Searching for #{job.package_manager} dependency reference files in '#{dir}', this can take a while..."
-            )
+        def dependency_files_for_multi_directories
+          return @dependency_files_for_multi_directories if defined?(@dependency_files_for_multi_directories)
+
+          has_glob = T.let(false, T::Boolean)
+          directories = Dir.chdir(job.repo_contents_path) do
+            job.source.directories.map do |dir|
+              next dir unless glob?(dir)
+
+              has_glob = true
+              dir = dir.delete_prefix("/")
+              Dir.glob(dir, File::FNM_DOTMATCH).select { |d| File.directory?(d) }.map { |d| "/#{d}" }
+            end.flatten
+          end.uniq
+
+          @dependency_files_for_multi_directories = directories.flat_map do |dir|
             ff = with_retries { file_fetcher_for_directory(dir) }
-            files = ff.files
+
+            begin
+              files = ff.files
+            rescue ::Dependabot::DependencyFileNotFound
+              # skip directories that don't contain manifests if globbing is used
+              next if has_glob
+
+              raise
+            end
+
             files
+          end.compact
+
+          if @dependency_files_for_multi_directories.empty?
+            raise ::Dependabot::DependencyFileNotFound, job.source.directories.join(", ")
           end
+
+          @dependency_files_for_multi_directories
+        end
+
+        def dependency_files
+          return @dependency_files if defined?(@dependency_files)
+
+          @dependency_files = with_retries { file_fetcher.files }
+          @dependency_files
         end
 
         def base64_dependency_files
-          dependency_files.map do |file|
+          files = job.source.directories ? dependency_files_for_multi_directories : dependency_files
+          files.map do |file|
             base64_file = file.dup
             base64_file.content = Base64.encode64(file.content) unless file.binary?
             base64_file
@@ -251,6 +288,11 @@ def with_retries(max_retries: 2)
             raise
           end
         end
+
+        def glob?(directory)
+          # We could tighten this up, but it's probably close enough.
+          directory.include?("*") || directory.include?("?") || (directory.include?("[") && directory.include?("]"))
+        end
       end
     end
   end