Merge remote-tracking branch 'origin/main' into feature/security-only…

…-updates

.github/dependabot.yml

@@ -27,6 +27,7 @@ updates:
         patterns: ['opentelemetry-*']
       rubocop:
         patterns: ['*rubocop*']
+        exclude-patterns: ['rubocop-rspec']
       sentry:
         patterns: ['sentry-*']
 

extension/README.md

@@ -55,7 +55,7 @@ Dependabot uses Docker containers, which may take time to install if not already
 |setAutoComplete|**_Optional_**. Determines if the pull requests that dependabot creates should have auto complete set. When set to `true`, pull requests that pass all policies will be merged automatically. Defaults to `false`.|
 |mergeStrategy|**_Optional_**. The merge strategy to use when auto complete is set. Learn more [here](https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update?view=azure-devops-rest-6.0&tabs=HTTP#gitpullrequestmergestrategy). Defaults to `squash`.|
 |autoCompleteIgnoreConfigIds|**_Optional_**. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.|
-|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`.|
+|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions).|
 |autoApproveUserToken|**_Optional_**. A personal access token for the user to automatically approve the created PR.|
 |authorEmail|**_Optional_**. The email address to use for the change commit author. Can be used to associate the committer with an existing account, to provide a profile picture. Defaults to `[email protected]`.|
 |authorName|**_Optional_**. The name to use as the git commit author of the pull requests. Defaults to `dependabot[bot]`.|
@@ -82,7 +82,7 @@ Dependabot uses Docker containers, which may take time to install if not already
 |setAutoComplete|**_Optional_**. Determines if the pull requests that dependabot creates should have auto complete set. When set to `true`, pull requests that pass all policies will be merged automatically. Defaults to `false`.|
 |mergeStrategy|**_Optional_**. The merge strategy to use when auto complete is set. Learn more [here](https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update?view=azure-devops-rest-6.0&tabs=HTTP#gitpullrequestmergestrategy). Defaults to `squash`.|
 |autoCompleteIgnoreConfigIds|**_Optional_**. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.|
-|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`.|
+|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions).|
 |autoApproveUserToken|**_Optional_**. A personal access token for the user to automatically approve the created PR.|
 |skipPullRequests|**_Optional_**. Determines whether to skip creation and updating of pull requests. When set to `true` the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to `false`.|
 |abandonUnwantedPullRequests|**_Optional_**. Determines whether to abandon unwanted pull requests. Defaults to `false`.|

extension/package.json

@@ -34,9 +34,9 @@
     "js-yaml": "4.1.0"
   },
   "devDependencies": {
-    "@types/jest": "29.5.13",
+    "@types/jest": "29.5.14",
     "@types/js-yaml": "4.0.9",
-    "@types/node": "22.7.7",
+    "@types/node": "22.8.1",
     "@types/q": "1.5.8",
     "jest": "29.7.0",
     "ts-jest": "29.2.5",

extension/tasks/dependabotV1/task.json

@@ -138,7 +138,7 @@
       "label": "Auto-approve pull requests",
       "defaultValue": false,
       "required": false,
-      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`."
+      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions)"
     },
     {
       "name": "autoApproveUserToken",

extension/tasks/dependabotV2/task.json

@@ -118,7 +118,7 @@
       "label": "Auto-approve pull requests",
       "defaultValue": false,
       "required": false,
-      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`."
+      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions)"
     },
     {
       "name": "autoApproveUserToken",

extension/tasks/dependabotV2/utils/azure-devops/AzureDevOpsWebApiClient.ts

@@ -28,7 +28,7 @@ export class AzureDevOpsWebApiClient {
   private authenticatedUserId: string;
   private resolvedUserIds: Record<string, string>;
 
-  public static API_VERSION = '7.1';
+  public static API_VERSION = '5.0'; // this is the same version used by dependabot-core
 
   constructor(organisationApiUrl: string, accessToken: string) {
     this.organisationApiUrl = organisationApiUrl.replace(/\/$/, ''); // trim trailing slash
@@ -464,9 +464,18 @@ export class AzureDevOpsWebApiClient {
       const userVote = await this.restApiPut(
         `${this.organisationApiUrl}/${pr.project}/_apis/git/repositories/${pr.repository}/pullrequests/${pr.pullRequestId}/reviewers/${userId}`,
         {
-          vote: 10, // 10 - approved 5 - approved with suggestions 0 - no vote -5 - waiting for author -10 - rejected
-          isReapprove: false, // don't re-approve if already approved
+          // Vote 10 = "approved"; 5 = "approved with suggestions"; 0 = "no vote"; -5 = "waiting for author"; -10 = "rejected"
+          vote: 10,
+          // Reapprove must be set to true after the 2023 August 23 update;
+          // Approval of a previous PR iteration does not count in later iterations, which means we must (re)approve every after push to the source branch
+          // See: https://learn.microsoft.com/en-us/azure/devops/release-notes/2023/sprint-226-update#new-branch-policy-preventing-users-to-approve-their-own-changes
+          //      https://github.com/tinglesoftware/dependabot-azure-devops/issues/1069
+          isReapprove: true,
         },
+        // API version 7.1 is required to use the 'isReapprove' parameter
+        // See: https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-request-reviewers/create-pull-request-reviewer?view=azure-devops-rest-7.1&tabs=HTTP#request-body
+        //      https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions
+        '7.1',
       );
       if (userVote?.vote != 10) {
         throw new Error('Failed to approve pull request, vote was not recorded');
@@ -619,7 +628,7 @@ export class AzureDevOpsWebApiClient {
       .map((key) => `${key}=${params[key]}`)
       .join('&');
     const fullUrl = `${url}?api-version=${apiVersion}${queryString ? `&${queryString}` : ''}`;
-    return await this.restApiRequest('GET', url, () =>
+    return await this.restApiRequest('GET', fullUrl, () =>
       this.connection.rest.client.get(fullUrl, {
         Accept: 'application/json',
       }),
@@ -632,7 +641,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('POST', url, () =>
+    return await this.restApiRequest('POST', fullUrl, () =>
       this.connection.rest.client.post(fullUrl, JSON.stringify(data), {
         'Content-Type': 'application/json',
       }),
@@ -645,7 +654,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('PUT', url, () =>
+    return await this.restApiRequest('PUT', fullUrl, () =>
       this.connection.rest.client.put(fullUrl, JSON.stringify(data), {
         'Content-Type': 'application/json',
       }),
@@ -659,7 +668,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('PATCH', url, () =>
+    return await this.restApiRequest('PATCH', fullUrl, () =>
       this.connection.rest.client.patch(fullUrl, JSON.stringify(data), {
         'Content-Type': contentType || 'application/json',
       }),

server/Tingle.Dependabot/Tingle.Dependabot.csproj

@@ -18,7 +18,7 @@
     <PackageReference Include="AspNetCore.Authentication.ApiKey" Version="8.0.1" />
     <PackageReference Include="AspNetCore.Authentication.Basic" Version="8.0.0" />
     <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.4" />
-    <PackageReference Include="Azure.Identity" Version="1.13.0" />
+    <PackageReference Include="Azure.Identity" Version="1.13.1" />
     <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.18.2" /> <!-- Allows for faster updates -->
     <PackageReference Include="Azure.Monitor.Query" Version="1.5.0" />
     <PackageReference Include="Azure.ResourceManager.AppContainers" Version="1.3.0" />

updater/Gemfile

@@ -8,7 +8,7 @@ source "https://rubygems.org"
 # They are so many, our reference won't be found for it to be updated.
 # Hence adding the branch.
 
-gem "dependabot-omnibus", "~>0.281.0"
+gem "dependabot-omnibus", "~>0.282.0"
 # gem "dependabot-omnibus", github: "dependabot/dependabot-core", branch: "main"
 # gem "dependabot-omnibus", github: "dependabot/dependabot-core", tag: "v0.232.0"
 # gem "dependabot-omnibus", github: "dependabot/dependabot-core", ref: "ffde6f6"
@@ -21,7 +21,7 @@ gem "opentelemetry-instrumentation-excon", "~> 0.22"
 gem "opentelemetry-instrumentation-faraday", "~> 0.24"
 gem "opentelemetry-instrumentation-http", "~> 0.23"
 gem "opentelemetry-instrumentation-net_http", "~> 0.22"
-gem "opentelemetry-metrics-sdk", "~> 0.2"
+gem "opentelemetry-metrics-sdk", "~> 0.3"
 gem "opentelemetry-sdk", "~> 1.5"
 gem "sentry-opentelemetry", "~> 5.21"
 gem "sentry-ruby", "~> 5.17"
@@ -36,10 +36,10 @@ group :test do
   gem "rspec", "~> 3.12"
   gem "rspec-its", "~> 1.3"
   gem "rspec-sorbet", "~> 1.9.2"
-  gem "rubocop", "~> 1.65.1"
-  gem "rubocop-performance", "~> 1.21.0"
+  gem "rubocop", "~> 1.67.0"
+  gem "rubocop-performance", "~> 1.22.1"
   gem "rubocop-rspec", "~> 2.29.1"
-  gem "rubocop-sorbet", "~> 0.8.1"
+  gem "rubocop-sorbet", "~> 0.8.6"
   gem "simplecov", "~> 0.22.0"
   gem "turbo_tests", "~> 2.2.0"
   gem "vcr", "~> 6.3"