diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 04a4cb1d..60f96a18 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,6 +30,8 @@ updates: exclude-patterns: ['rubocop-rspec'] sentry: patterns: ['sentry-*'] + ignore: + - dependency-name: 'dependabot-omnibus' - package-ecosystem: 'docker' directories: ['**/*'] diff --git a/updater/Gemfile b/updater/Gemfile index 2f73f02f..113df79c 100644 --- a/updater/Gemfile +++ b/updater/Gemfile @@ -8,7 +8,7 @@ source "https://rubygems.org" # They are so many, our reference won't be found for it to be updated. # Hence adding the branch. -gem "dependabot-omnibus", "~>0.288.0" +gem "dependabot-omnibus", "~>0.285.0" # gem "dependabot-omnibus", github: "dependabot/dependabot-core", branch: "main" # gem "dependabot-omnibus", github: "dependabot/dependabot-core", tag: "v0.232.0" # gem "dependabot-omnibus", github: "dependabot/dependabot-core", ref: "ffde6f6" diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock index 0df45760..30c44dbd 100644 --- a/updater/Gemfile.lock +++ b/updater/Gemfile.lock @@ -5,11 +5,11 @@ GEM public_suffix (>= 2.0.2, < 7.0) ast (2.4.2) aws-eventstream (1.3.0) - aws-partitions (1.1013.0) - aws-sdk-codecommit (1.80.0) + aws-partitions (1.1003.0) + aws-sdk-codecommit (1.79.0) aws-sdk-core (~> 3, >= 3.210.0) aws-sigv4 (~> 1.5) - aws-sdk-core (3.213.0) + aws-sdk-core (3.212.0) aws-eventstream (~> 1, >= 1.3.0) aws-partitions (~> 1, >= 1.992.0) aws-sigv4 (~> 1.9) @@ -22,7 +22,7 @@ GEM base64 (0.2.0) bigdecimal (3.1.8) citrus (3.0.2) - commonmarker (0.23.11) + commonmarker (0.23.10) concurrent-ruby (1.3.4) crack (1.0.0) bigdecimal @@ -31,12 +31,12 @@ GEM debug (1.9.2) irb (~> 1.10) reline (>= 0.3.8) - dependabot-bundler (0.288.0) - dependabot-common (= 0.288.0) + dependabot-bundler (0.285.0) + dependabot-common (= 0.285.0) parallel (~> 1.24) - dependabot-cargo (0.288.0) - dependabot-common (= 0.288.0) - dependabot-common (0.288.0) + dependabot-cargo (0.285.0) + dependabot-common (= 0.285.0) + dependabot-common (0.285.0) aws-sdk-codecommit (~> 1.28) aws-sdk-ecr (~> 1.5) bundler (>= 1.16, < 3.0.0) @@ -56,64 +56,64 @@ GEM sorbet-runtime (~> 0.5.11577) stackprof (~> 0.2.16) toml-rb (>= 1.1.2, < 4.0) - dependabot-composer (0.288.0) - dependabot-common (= 0.288.0) - dependabot-devcontainers (0.288.0) - dependabot-common (= 0.288.0) - dependabot-docker (0.288.0) - dependabot-common (= 0.288.0) - dependabot-dotnet_sdk (0.288.0) - dependabot-common (= 0.288.0) - dependabot-elm (0.288.0) - dependabot-common (= 0.288.0) - dependabot-git_submodules (0.288.0) - dependabot-common (= 0.288.0) + dependabot-composer (0.285.0) + dependabot-common (= 0.285.0) + dependabot-devcontainers (0.285.0) + dependabot-common (= 0.285.0) + dependabot-docker (0.285.0) + dependabot-common (= 0.285.0) + dependabot-dotnet_sdk (0.285.0) + dependabot-common (= 0.285.0) + dependabot-elm (0.285.0) + dependabot-common (= 0.285.0) + dependabot-git_submodules (0.285.0) + dependabot-common (= 0.285.0) parseconfig (~> 1.0, < 1.1.0) - dependabot-github_actions (0.288.0) - dependabot-common (= 0.288.0) - dependabot-go_modules (0.288.0) - dependabot-common (= 0.288.0) - dependabot-gradle (0.288.0) - dependabot-common (= 0.288.0) - dependabot-maven (= 0.288.0) - dependabot-hex (0.288.0) - dependabot-common (= 0.288.0) - dependabot-maven (0.288.0) - dependabot-common (= 0.288.0) - dependabot-npm_and_yarn (0.288.0) - dependabot-common (= 0.288.0) - dependabot-nuget (0.288.0) - dependabot-common (= 0.288.0) + dependabot-github_actions (0.285.0) + dependabot-common (= 0.285.0) + dependabot-go_modules (0.285.0) + dependabot-common (= 0.285.0) + dependabot-gradle (0.285.0) + dependabot-common (= 0.285.0) + dependabot-maven (= 0.285.0) + dependabot-hex (0.285.0) + dependabot-common (= 0.285.0) + dependabot-maven (0.285.0) + dependabot-common (= 0.285.0) + dependabot-npm_and_yarn (0.285.0) + dependabot-common (= 0.285.0) + dependabot-nuget (0.285.0) + dependabot-common (= 0.285.0) rubyzip (>= 2.3.2, < 3.0) - dependabot-omnibus (0.288.0) - dependabot-bundler (= 0.288.0) - dependabot-cargo (= 0.288.0) - dependabot-common (= 0.288.0) - dependabot-composer (= 0.288.0) - dependabot-devcontainers (= 0.288.0) - dependabot-docker (= 0.288.0) - dependabot-dotnet_sdk (= 0.288.0) - dependabot-elm (= 0.288.0) - dependabot-git_submodules (= 0.288.0) - dependabot-github_actions (= 0.288.0) - dependabot-go_modules (= 0.288.0) - dependabot-gradle (= 0.288.0) - dependabot-hex (= 0.288.0) - dependabot-maven (= 0.288.0) - dependabot-npm_and_yarn (= 0.288.0) - dependabot-nuget (= 0.288.0) - dependabot-pub (= 0.288.0) - dependabot-python (= 0.288.0) - dependabot-swift (= 0.288.0) - dependabot-terraform (= 0.288.0) - dependabot-pub (0.288.0) - dependabot-common (= 0.288.0) - dependabot-python (0.288.0) - dependabot-common (= 0.288.0) - dependabot-swift (0.288.0) - dependabot-common (= 0.288.0) - dependabot-terraform (0.288.0) - dependabot-common (= 0.288.0) + dependabot-omnibus (0.285.0) + dependabot-bundler (= 0.285.0) + dependabot-cargo (= 0.285.0) + dependabot-common (= 0.285.0) + dependabot-composer (= 0.285.0) + dependabot-devcontainers (= 0.285.0) + dependabot-docker (= 0.285.0) + dependabot-dotnet_sdk (= 0.285.0) + dependabot-elm (= 0.285.0) + dependabot-git_submodules (= 0.285.0) + dependabot-github_actions (= 0.285.0) + dependabot-go_modules (= 0.285.0) + dependabot-gradle (= 0.285.0) + dependabot-hex (= 0.285.0) + dependabot-maven (= 0.285.0) + dependabot-npm_and_yarn (= 0.285.0) + dependabot-nuget (= 0.285.0) + dependabot-pub (= 0.285.0) + dependabot-python (= 0.285.0) + dependabot-swift (= 0.285.0) + dependabot-terraform (= 0.285.0) + dependabot-pub (0.285.0) + dependabot-common (= 0.285.0) + dependabot-python (0.285.0) + dependabot-common (= 0.285.0) + dependabot-swift (0.285.0) + dependabot-common (= 0.285.0) + dependabot-terraform (0.285.0) + dependabot-common (= 0.285.0) diff-lcs (1.5.1) docile (1.4.1) docker_registry2 (1.18.2) @@ -198,7 +198,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2024.1105) mini_mime (1.1.5) - mini_portile2 (2.8.8) + mini_portile2 (2.8.7) multi_xml (0.7.1) bigdecimal (~> 3.1) netrc (0.11.0) @@ -358,7 +358,7 @@ GEM simplecov_json_formatter (~> 0.1) simplecov-html (0.13.1) simplecov_json_formatter (0.1.4) - sorbet-runtime (0.5.11663) + sorbet-runtime (0.5.11645) stackprof (0.2.26) stringio (3.1.2) terminal-table (3.0.2) @@ -397,7 +397,7 @@ PLATFORMS DEPENDENCIES debug (~> 1.9.2) - dependabot-omnibus (~> 0.288.0) + dependabot-omnibus (~> 0.285.0) flamegraph (~> 0.9.5) gpgme (~> 2.0) http (~> 5.2) diff --git a/updater/lib/dependabot/api_client.rb b/updater/lib/dependabot/api_client.rb index c0ebe9be..24b40822 100644 --- a/updater/lib/dependabot/api_client.rb +++ b/updater/lib/dependabot/api_client.rb @@ -21,8 +21,6 @@ class ApiError < StandardError; end class ApiClient extend T::Sig - MAX_REQUEST_RETRIES = 3 - sig { params(base_url: String, job_id: T.any(String, Integer), job_token: String).void } def initialize(base_url, job_id, job_token) @base_url = base_url @@ -45,7 +43,7 @@ def create_pull_request(dependency_change, base_commit_sha) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -74,7 +72,7 @@ def update_pull_request(dependency_change, base_commit_sha) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -94,7 +92,7 @@ def close_pull_request(dependency_names, reason) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -121,7 +119,7 @@ def record_update_job_error(error_type:, error_details:) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -156,7 +154,7 @@ def record_update_job_warning(warn_type:, warn_title:, warn_description:) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -182,7 +180,7 @@ def record_update_job_unknown_error(error_type:, error_details:) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -202,7 +200,7 @@ def mark_job_as_processed(base_commit_sha) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -226,7 +224,7 @@ def update_dependency_list(dependencies, dependency_files) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -245,7 +243,7 @@ def record_ecosystem_versions(ecosystem_versions) rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError retry_count ||= 0 retry_count += 1 - raise if retry_count > MAX_REQUEST_RETRIES + raise if retry_count > 3 sleep(rand(3.0..10.0)) retry @@ -276,86 +274,8 @@ def increment_metric(metric, tags:) end end - sig { params(ecosystem: T.nilable(Ecosystem)).void } - def record_ecosystem_meta(ecosystem) - return unless Dependabot::Experiments.enabled?(:enable_record_ecosystem_meta) - - return if ecosystem.nil? - - begin - ::Dependabot::OpenTelemetry.tracer.in_span("record_ecosystem_meta", kind: :internal) do |_span| - api_url = "#{base_url}/update_jobs/#{job_id}/record_ecosystem_meta" - - body = { - data: [ - { - ecosystem: { - name: ecosystem.name, - package_manager: version_manager_json(ecosystem.package_manager), - language: version_manager_json(ecosystem.language) - } - } - ] - } - - retry_count = 0 - - begin - response = http_client.post(api_url, json: body) - raise ApiError, response.body if response.code >= 400 - rescue HTTP::ConnectionError, OpenSSL::SSL::SSLError, ApiError => e - retry_count += 1 - if retry_count <= MAX_REQUEST_RETRIES - sleep(rand(3.0..10.0)) - retry - else - Dependabot.logger.error( - "Failed to record ecosystem meta after #{MAX_REQUEST_RETRIES} retries: #{e.message}" - ) - end - end - end - rescue StandardError => e - Dependabot.logger.error("Failed to record ecosystem meta: #{e.message}") - end - end - private - # Update return type to allow returning a Hash or nil - sig do - params(version_manager: T.nilable(Dependabot::Ecosystem::VersionManager)) - .returns(T.nilable(T::Hash[String, T.untyped])) - end - def version_manager_json(version_manager) - return nil unless version_manager - - { - name: version_manager.name, - raw_version: version_manager.version.to_semver.to_s, - version: version_manager.version.to_s, - requirement: version_manager_requirement_json(version_manager) - } - end - - # Update return type to allow returning a Hash or nil - sig do - params(version_manager: Dependabot::Ecosystem::VersionManager) - .returns(T.nilable(T::Hash[String, T.untyped])) - end - def version_manager_requirement_json(version_manager) - requirement = version_manager.requirement - return nil unless requirement - - { - raw_constraint: requirement.constraints.join(", "), - min_raw_version: requirement.min_version&.to_semver.to_s, - min_version: requirement.min_version&.to_s, - max_raw_version: requirement.max_version&.to_semver.to_s, - max_version: requirement.max_version&.to_s - } - end - sig { returns(String) } attr_reader :base_url diff --git a/updater/lib/dependabot/service.rb b/updater/lib/dependabot/service.rb index 828fd494..c8cb0f2e 100644 --- a/updater/lib/dependabot/service.rb +++ b/updater/lib/dependabot/service.rb @@ -38,8 +38,7 @@ def initialize(client:) def_delegators :client, :mark_job_as_processed, :record_ecosystem_versions, - :increment_metric, - :record_ecosystem_meta + :increment_metric sig { void } def wait_for_calls_to_finish diff --git a/updater/lib/dependabot/updater/group_update_refreshing.rb b/updater/lib/dependabot/updater/group_update_refreshing.rb index 2067b53a..74b18269 100644 --- a/updater/lib/dependabot/updater/group_update_refreshing.rb +++ b/updater/lib/dependabot/updater/group_update_refreshing.rb @@ -41,9 +41,6 @@ def upsert_pull_request_with_error_handling(dependency_change, group) end rescue StandardError => e error_handler.handle_job_error(error: e, dependency_group: dependency_snapshot.job_group) - ensure - # record metrics for the ecosystem - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end # Having created the dependency_change, we need to determine the right strategy to apply it to the project: diff --git a/updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb b/updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb index 99b4e430..91c047ba 100644 --- a/updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb +++ b/updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb @@ -64,8 +64,6 @@ def perform service.create_pull_request(T.must(dependency_change), dependency_snapshot.base_commit_sha) rescue StandardError => e error_handler.handle_job_error(error: e, dependency_group: group) - ensure - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end else Dependabot.logger.info("Nothing to update for Dependency Group: '#{group.name}'") diff --git a/updater/lib/dependabot/updater/operations/create_security_update_pull_request.rb b/updater/lib/dependabot/updater/operations/create_security_update_pull_request.rb index 1f6945c9..156a48f3 100644 --- a/updater/lib/dependabot/updater/operations/create_security_update_pull_request.rb +++ b/updater/lib/dependabot/updater/operations/create_security_update_pull_request.rb @@ -100,8 +100,6 @@ def check_and_create_pr_with_error_handling(dependency) ) rescue StandardError => e error_handler.handle_dependency_error(error: e, dependency: dependency) - ensure - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end # rubocop:disable Metrics/AbcSize diff --git a/updater/lib/dependabot/updater/operations/refresh_security_update_pull_request.rb b/updater/lib/dependabot/updater/operations/refresh_security_update_pull_request.rb index e397871f..ab94b2fa 100644 --- a/updater/lib/dependabot/updater/operations/refresh_security_update_pull_request.rb +++ b/updater/lib/dependabot/updater/operations/refresh_security_update_pull_request.rb @@ -61,9 +61,6 @@ def perform check_and_update_pull_request(dependencies) rescue StandardError => e error_handler.handle_dependency_error(error: e, dependency: dependencies.last) - ensure - # Record ecosystem metrics for the update job - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end private diff --git a/updater/lib/dependabot/updater/operations/refresh_version_update_pull_request.rb b/updater/lib/dependabot/updater/operations/refresh_version_update_pull_request.rb index 29a13cb2..aafa2b2e 100644 --- a/updater/lib/dependabot/updater/operations/refresh_version_update_pull_request.rb +++ b/updater/lib/dependabot/updater/operations/refresh_version_update_pull_request.rb @@ -67,8 +67,6 @@ def perform check_and_update_pull_request(dependencies) rescue StandardError => e error_handler.handle_dependency_error(error: e, dependency: dependency) - ensure - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end private diff --git a/updater/lib/dependabot/updater/operations/update_all_versions.rb b/updater/lib/dependabot/updater/operations/update_all_versions.rb index 85f8aa2c..bdcc9a20 100644 --- a/updater/lib/dependabot/updater/operations/update_all_versions.rb +++ b/updater/lib/dependabot/updater/operations/update_all_versions.rb @@ -93,10 +93,8 @@ def dependencies def check_and_create_pr_with_error_handling(dependency) check_and_create_pull_request(dependency) rescue URI::InvalidURIError => e - error_handler.handle_dependency_error( - error: Dependabot::DependencyFileNotResolvable.new(e.message), - dependency: dependency - ) + error_handler.handle_dependency_error(error: Dependabot::DependencyFileNotResolvable.new(e.message), + dependency: dependency) rescue Dependabot::InconsistentRegistryResponse => e error_handler.log_dependency_error( dependency: dependency, @@ -106,8 +104,6 @@ def check_and_create_pr_with_error_handling(dependency) ) rescue StandardError => e process_dependency_error(e, dependency) - ensure - service.record_ecosystem_meta(dependency_snapshot.ecosystem) end # rubocop:disable Metrics/AbcSize diff --git a/updater/spec/dependabot/api_client_spec.rb b/updater/spec/dependabot/api_client_spec.rb index af0cd8dd..36779ba6 100644 --- a/updater/spec/dependabot/api_client_spec.rb +++ b/updater/spec/dependabot/api_client_spec.rb @@ -77,7 +77,7 @@ before do allow(Dependabot::PullRequestCreator::MessageBuilder).to receive_message_chain(:new, :message).and_return(message) - allow(Dependabot::Experiments).to receive(:enabled?).with(:enable_record_ecosystem_meta).and_return(true) + stub_request(:post, create_pull_request_url) .to_return(status: 204, headers: headers) end @@ -509,87 +509,4 @@ end end end - - describe "record_ecosystem_meta" do - before do - allow(Dependabot::Experiments).to receive(:enabled?).with(:enable_record_ecosystem_meta).and_return(true) - end - - let(:ecosystem) do - Dependabot::Ecosystem.new( - name: "bundler", - package_manager: instance_double( - Dependabot::Ecosystem::VersionManager, - name: "bundler", - version: Dependabot::Version.new("2.1.4"), - requirement: instance_double( - Dependabot::Requirement, - constraints: [">= 2.0"], - min_version: Dependabot::Version.new("2.0.0"), - max_version: Dependabot::Version.new("3.0.0") - ) - ), - language: instance_double( - Dependabot::Ecosystem::VersionManager, - name: "ruby", - version: Dependabot::Version.new("2.7.0"), - requirement: nil - ) - ) - end - let(:record_ecosystem_meta_url) { "http://example.com/update_jobs/1/record_ecosystem_meta" } - - it "hits the correct endpoint" do - client.record_ecosystem_meta(ecosystem) - - expect(WebMock) - .to have_requested(:post, record_ecosystem_meta_url) - .with(headers: { "Authorization" => "token" }) - end - - it "encodes the payload correctly" do - client.record_ecosystem_meta(ecosystem) - - expect(WebMock).to(have_requested(:post, record_ecosystem_meta_url).with do |req| - data = JSON.parse(req.body)["data"][0]["ecosystem"] - - expect(data).not_to be_nil # Ensure data is present - expect(data["name"]).to eq("bundler") - expect(data["package_manager"]).to include( - "name" => "bundler", - "raw_version" => "2.1.4", - "version" => "2.1.4", - "requirement" => { - "max_raw_version" => "3.0.0", - "max_version" => "3.0.0", - "min_raw_version" => "2.0.0", - "min_version" => "2.0.0", - "raw_constraint" => ">= 2.0" - } - ) - expect(data["language"]).to include( - "name" => "ruby", - "version" => "2.7.0" - ) - end) - end - - context "when ecosystem is nil" do - it "does not send a request" do - client.record_ecosystem_meta(nil) - expect(WebMock).not_to have_requested(:post, record_ecosystem_meta_url) - end - end - - context "when feature flag is disabled" do - before do - allow(Dependabot::Experiments).to receive(:enabled?).with(:enable_record_ecosystem_meta).and_return(false) - end - - it "does not send a request" do - client.record_ecosystem_meta(ecosystem) - expect(WebMock).not_to have_requested(:post, record_ecosystem_meta_url) - end - end - end end