diff --git a/.dockerignore b/.dockerignore index 3729ff0c..b6900a6f 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,25 +1,27 @@ -**/.classpath -**/.dockerignore -**/.env -**/.git -**/.gitignore -**/.project -**/.settings -**/.toolstarget -**/.vs -**/.vscode -**/*.*proj.user -**/*.dbmdl -**/*.jfm -**/azds.yaml -**/bin -**/charts -**/docker-compose* -**/Dockerfile* +/.core-bash_history +/.env +/.envrc +/.git +/.github +/.vscode-server-insiders/ +/.vscode-server/ +/.vscode/ +/dependabot-*.gem +/dry-run +/pkg +/vendor +/tmp +**/.bundle +**/coverage +**/Gemfile.lock +!updater/Gemfile.lock +!updater/spec/fixtures/**/Gemfile.lock **/node_modules -**/npm-debug.log -**/obj -**/secrets.dev.yaml -**/values.dev.yaml -LICENSE -README.md \ No newline at end of file +!**/spec/fixtures/* +git.store +.DS_Store +*.pyc +.dockerignore +Dockerfile* +*.md +CODEOWNERS diff --git a/.dockerignore-old b/.dockerignore-old new file mode 100644 index 00000000..3729ff0c --- /dev/null +++ b/.dockerignore-old @@ -0,0 +1,25 @@ +**/.classpath +**/.dockerignore +**/.env +**/.git +**/.gitignore +**/.project +**/.settings +**/.toolstarget +**/.vs +**/.vscode +**/*.*proj.user +**/*.dbmdl +**/*.jfm +**/azds.yaml +**/bin +**/charts +**/docker-compose* +**/Dockerfile* +**/node_modules +**/npm-debug.log +**/obj +**/secrets.dev.yaml +**/values.dev.yaml +LICENSE +README.md \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3e646b6d..6ca43022 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,32 +5,32 @@ version: 2 updates: -- package-ecosystem: "bundler" # See documentation for possible values - directory: "/script" # Location of package manifests +- package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of package manifests schedule: interval: "weekly" time: "04:00" open-pull-requests-limit: 10 -- package-ecosystem: "docker" # See documentation for possible values - directory: "/script" # Location of package manifests +- package-ecosystem: "gitsubmodule" # See documentation for possible values + directory: "/" # Location of package manifests schedule: interval: "weekly" time: "04:00" open-pull-requests-limit: 10 -- package-ecosystem: "gitsubmodule" # See documentation for possible values - directory: "/" # Location of package manifests +- package-ecosystem: "bundler" # See documentation for possible values + directory: "/script" # Location of package manifests schedule: interval: "weekly" time: "04:00" open-pull-requests-limit: 10 -- package-ecosystem: "npm" # See documentation for possible values - directory: "/extension" # Location of package manifests +- package-ecosystem: "docker" # See documentation for possible values + directory: "/" # Location of package manifests schedule: interval: "weekly" time: "04:00" open-pull-requests-limit: 10 -- package-ecosystem: "github-actions" # See documentation for possible values - directory: "/" # Location of package manifests +- package-ecosystem: "npm" # See documentation for possible values + directory: "/extension" # Location of package manifests schedule: interval: "weekly" time: "04:00" diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f7c7b87a..7805eb3b 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -8,16 +8,18 @@ on: - '*' paths: - "script/**" + - "Dockerfile" - ".github/workflows/docker.yml" - - "!script/README.md" + - "!docs/**" pull_request: branches: # Only trigger for PRs against `main` branch. - main paths: - "script/**" + - "Dockerfile" - ".github/workflows/docker.yml" - - "!script/README.md" + - "!docs/**" jobs: dockerize: @@ -50,14 +52,14 @@ jobs: - name: Build image run: | docker build \ - -f script/Dockerfile \ + -f Dockerfile \ -t "tingle/$IMAGE_NAME:latest" \ -t "tingle/$IMAGE_NAME:$GITVERSION_FULLSEMVER" \ -t "tingle/$IMAGE_NAME:$GITVERSION_MAJOR.$GITVERSION_MINOR" \ -t "tingle/$IMAGE_NAME:$GITVERSION_MAJOR" \ --cache-from tingle/$IMAGE_NAME:latest \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - script + . - name: Log into registry (Docker Hub) if: ${{ (github.ref == 'refs/heads/main') || (!startsWith(github.ref, 'refs/pull')) || startsWith(github.ref, 'refs/tags') }} diff --git a/.github/workflows/extension.yml b/.github/workflows/extension.yml index 4485d410..e2847826 100644 --- a/.github/workflows/extension.yml +++ b/.github/workflows/extension.yml @@ -10,6 +10,7 @@ on: - "extension/**" - ".github/workflows/extension.yml" - "!extension/README.md" + - "!docs/**" pull_request: branches: # Only trigger for PRs against `main` branch. @@ -18,6 +19,7 @@ on: - "extension/**" - ".github/workflows/extension.yml" - "!extension/README.md" + - "!docs/**" jobs: Build: diff --git a/.gitmodules b/.gitmodules index 59496b35..d876f953 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ -[submodule "script/dependabot-core"] - path = script/dependabot-core +[submodule "dependabot-core"] + path = dependabot-core url = https://github.com/dependabot/dependabot-core.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..fb811fd0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,42 @@ +# The tagged versions are currently slow (sometimes it takes months) +# We temporarily switch to getting the gem from git. +# When the changes to this repository are no longer many/major, +# we can switch back to using the tagged versions. + +# FROM dependabot/dependabot-core:0.215.0 +FROM dependabot/dependabot-core@sha256:3681373aeb07e29fdf30c7a03713195424636fd1cafd569c424a96af27d37735 + +ENV DEPENDABOT_HOME /home/dependabot +WORKDIR ${DEPENDABOT_HOME} + +COPY --chown=dependabot:dependabot updater/Gemfile updater/Gemfile.lock dependabot-updater/ +COPY --chown=dependabot:dependabot dependabot-core dependabot-core/ + +WORKDIR $DEPENDABOT_HOME/dependabot-updater + +RUN bundle config set --local path 'vendor' && \ + bundle config set --local frozen 'true' && \ + bundle config set --local without 'development' && \ + bundle install + +# Project files are known to change more frequently than Gemfiles. +# They are copied after installation of dependencies so that the +# image layers that change less frequently are available for caching +# and hence be reused in subsequent builds. +# For more information: +# https://docs.docker.com/develop/develop-images/build_enhancements/ +# https://testdriven.io/blog/faster-ci-builds-with-docker-cache/ + +# Add project +COPY --chown=dependabot:dependabot LICENSE $DEPENDABOT_HOME +COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater + +WORKDIR $DEPENDABOT_HOME/dependabot-updater + +# This entrypoint exists to solve specific setup problems. +# It is only used with the extension and directly on Docker. +# Hosted version does not allow this. +ENTRYPOINT ["bin/entrypoint.sh"] + +# Run update script +CMD ["bundle", "exec", "ruby", "bin/update-script.rb"] diff --git a/script/Dockerfile b/Dockerfile-old similarity index 79% rename from script/Dockerfile rename to Dockerfile-old index b3e69ae0..52241fd1 100644 --- a/script/Dockerfile +++ b/Dockerfile-old @@ -6,15 +6,15 @@ # FROM dependabot/dependabot-core:0.215.0 FROM dependabot/dependabot-core@sha256:3681373aeb07e29fdf30c7a03713195424636fd1cafd569c424a96af27d37735 -# Copy the Gemfile and Gemfile.lock +# Copy core logic +COPY dependabot-core dependabot-core/ + +# Copy Gemfile and Gemfile.lock ARG CODE_DIR=/home/dependabot/dependabot-script RUN mkdir -p ${CODE_DIR} -COPY --chown=dependabot:dependabot Gemfile Gemfile.lock ${CODE_DIR}/ +COPY --chown=dependabot:dependabot script/Gemfile script/Gemfile.lock ${CODE_DIR}/ WORKDIR ${CODE_DIR} -# Copy core logic -COPY dependabot-core dependabot-core/ - # Install dependencies RUN bundle config set --local path "vendor" \ && bundle install --jobs 4 --retry 3 @@ -28,10 +28,10 @@ RUN bundle config set --local path "vendor" \ # https://testdriven.io/blog/faster-ci-builds-with-docker-cache/ # Copy the Ruby scripts -COPY --chown=dependabot:dependabot update-script.rb ${CODE_DIR} -COPY --chown=dependabot:dependabot azure_helpers.rb ${CODE_DIR} -COPY --chown=dependabot:dependabot vulnerabilities.rb ${CODE_DIR} -COPY --chown=dependabot:dependabot --chmod=755 entrypoint.sh ${CODE_DIR} +COPY --chown=dependabot:dependabot script/update-script.rb ${CODE_DIR} +COPY --chown=dependabot:dependabot script/azure_helpers.rb ${CODE_DIR} +COPY --chown=dependabot:dependabot script/vulnerabilities.rb ${CODE_DIR} +COPY --chown=dependabot:dependabot --chmod=755 script/entrypoint.sh ${CODE_DIR} # This entrypoint exists to solve specific setup problems. # It is only used with the extension and directly on Docker. diff --git a/README.md b/README.md index 8647ab82..b95dbf3d 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ A GitHub access token with `public_repo` access is required to perform the GitHu ## Kubernetes CronJob -A Kubernetes CronJobs is a useful resource for running tasks (a.k.a Jobs) on a recurring schedule. For more information on them read the [documentation](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/). Using the Docker image, we can create a CronJob and have it run periodically. The [environment variables](./script/README.md#environment-variables) are supplied in the job template but can be stored in a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for ease of reuse. +A Kubernetes CronJobs is a useful resource for running tasks (a.k.a Jobs) on a recurring schedule. For more information on them read the [documentation](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/). Using the Docker image, we can create a CronJob and have it run periodically. The [environment variables](./docs/docker.md#environment-variables) are supplied in the job template but can be stored in a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for ease of reuse. Use the [template provided](./cronjob-template.yaml) and replace the parameters in curly braces (e.g. replace `{{azure_organization}}` with the actual value for your organization), then deploy it. Be sure to replace the `{{k8s_schedule}}` variable with the desired schedule as per the [Cron format](https://en.wikipedia.org/wiki/Cron). diff --git a/advisories-example.json b/advisories-example.json index d7c34cd8..de586520 100644 --- a/advisories-example.json +++ b/advisories-example.json @@ -1,12 +1,12 @@ [ - { - "dependency-name": "Contoso.Utils", - "patched-versions": [ - "3.0.1" - ], - "unaffected-versions": [], - "affected-versions": [ - "< 3.0.1" - ] - } + { + "dependency-name": "Contoso.Utils", + "patched-versions": [ + "3.0.1" + ], + "unaffected-versions": [], + "affected-versions": [ + "< 3.0.1" + ] + } ] \ No newline at end of file diff --git a/script/dependabot-core b/dependabot-core similarity index 100% rename from script/dependabot-core rename to dependabot-core diff --git a/script/README.md b/docs/docker.md similarity index 100% rename from script/README.md rename to docs/docker.md diff --git a/script/Gemfile b/script/Gemfile deleted file mode 100644 index 86a34569..00000000 --- a/script/Gemfile +++ /dev/null @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -source "https://rubygems.org" - -gem "dependabot-bundler", path: "dependabot-core/bundler" -gem "dependabot-cargo", path: "dependabot-core/cargo" -gem "dependabot-common", path: "dependabot-core/common" -gem "dependabot-composer", path: "dependabot-core/composer" -gem "dependabot-docker", path: "dependabot-core/docker" -gem "dependabot-elm", path: "dependabot-core/elm" -gem "dependabot-github_actions", path: "dependabot-core/github_actions" -gem "dependabot-git_submodules", path: "dependabot-core/git_submodules" -gem "dependabot-go_modules", path: "dependabot-core/go_modules" -gem "dependabot-gradle", path: "dependabot-core/gradle" -gem "dependabot-hex", path: "dependabot-core/hex" -gem "dependabot-maven", path: "dependabot-core/maven" -gem "dependabot-npm_and_yarn", path: "dependabot-core/npm_and_yarn" -gem "dependabot-nuget", path: "dependabot-core/nuget" -gem "dependabot-pub", path: "dependabot-core/pub" -gem "dependabot-python", path: "dependabot-core/python" -gem "dependabot-terraform", path: "dependabot-core/terraform" diff --git a/updater/.gitignore b/updater/.gitignore new file mode 100644 index 00000000..334d24eb --- /dev/null +++ b/updater/.gitignore @@ -0,0 +1,3 @@ +/.bundle/ +/spec/examples.txt +/tmp/ diff --git a/updater/Gemfile b/updater/Gemfile new file mode 100644 index 00000000..b10ec402 --- /dev/null +++ b/updater/Gemfile @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +source "https://rubygems.org" + +gem "dependabot-bundler", path: "../dependabot-core/bundler" +gem "dependabot-cargo", path: "../dependabot-core/cargo" +gem "dependabot-common", path: "../dependabot-core/common" +gem "dependabot-composer", path: "../dependabot-core/composer" +gem "dependabot-docker", path: "../dependabot-core/docker" +gem "dependabot-elm", path: "../dependabot-core/elm" +gem "dependabot-github_actions", path: "../dependabot-core/github_actions" +gem "dependabot-git_submodules", path: "../dependabot-core/git_submodules" +gem "dependabot-go_modules", path: "../dependabot-core/go_modules" +gem "dependabot-gradle", path: "../dependabot-core/gradle" +gem "dependabot-hex", path: "../dependabot-core/hex" +gem "dependabot-maven", path: "../dependabot-core/maven" +gem "dependabot-npm_and_yarn", path: "../dependabot-core/npm_and_yarn" +gem "dependabot-nuget", path: "../dependabot-core/nuget" +gem "dependabot-pub", path: "../dependabot-core/pub" +gem "dependabot-python", path: "../dependabot-core/python" +gem "dependabot-terraform", path: "../dependabot-core/terraform" diff --git a/script/Gemfile.lock b/updater/Gemfile.lock similarity index 88% rename from script/Gemfile.lock rename to updater/Gemfile.lock index 1c50e158..ce3f6409 100644 --- a/script/Gemfile.lock +++ b/updater/Gemfile.lock @@ -1,17 +1,17 @@ PATH - remote: dependabot-core/bundler + remote: ../dependabot-core/bundler specs: dependabot-bundler (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/cargo + remote: ../dependabot-core/cargo specs: dependabot-cargo (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/common + remote: ../dependabot-core/common specs: dependabot-common (0.215.0) activesupport (>= 6.0.0) @@ -30,87 +30,87 @@ PATH toml-rb (>= 1.1.2, < 3.0) PATH - remote: dependabot-core/composer + remote: ../dependabot-core/composer specs: dependabot-composer (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/docker + remote: ../dependabot-core/docker specs: dependabot-docker (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/elm + remote: ../dependabot-core/elm specs: dependabot-elm (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/git_submodules + remote: ../dependabot-core/git_submodules specs: dependabot-git_submodules (0.215.0) dependabot-common (= 0.215.0) parseconfig (~> 1.0, < 1.1.0) PATH - remote: dependabot-core/github_actions + remote: ../dependabot-core/github_actions specs: dependabot-github_actions (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/go_modules + remote: ../dependabot-core/go_modules specs: dependabot-go_modules (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/gradle + remote: ../dependabot-core/gradle specs: dependabot-gradle (0.215.0) dependabot-common (= 0.215.0) dependabot-maven (= 0.215.0) PATH - remote: dependabot-core/hex + remote: ../dependabot-core/hex specs: dependabot-hex (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/maven + remote: ../dependabot-core/maven specs: dependabot-maven (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/npm_and_yarn + remote: ../dependabot-core/npm_and_yarn specs: dependabot-npm_and_yarn (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/nuget + remote: ../dependabot-core/nuget specs: dependabot-nuget (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/pub + remote: ../dependabot-core/pub specs: dependabot-pub (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/python + remote: ../dependabot-core/python specs: dependabot-python (0.215.0) dependabot-common (= 0.215.0) PATH - remote: dependabot-core/terraform + remote: ../dependabot-core/terraform specs: dependabot-terraform (0.215.0) dependabot-common (= 0.215.0) diff --git a/script/azure_helpers.rb b/updater/bin/azure_helpers.rb similarity index 100% rename from script/azure_helpers.rb rename to updater/bin/azure_helpers.rb diff --git a/script/entrypoint.sh b/updater/bin/entrypoint.sh old mode 100644 new mode 100755 similarity index 100% rename from script/entrypoint.sh rename to updater/bin/entrypoint.sh diff --git a/script/update-script.rb b/updater/bin/update-script.rb similarity index 100% rename from script/update-script.rb rename to updater/bin/update-script.rb diff --git a/script/vulnerabilities.rb b/updater/bin/vulnerabilities.rb similarity index 100% rename from script/vulnerabilities.rb rename to updater/bin/vulnerabilities.rb diff --git a/updater/lib/dependabot/.gitkeep b/updater/lib/dependabot/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/updater/spec/README.md b/updater/spec/README.md new file mode 100644 index 00000000..34e5f32b --- /dev/null +++ b/updater/spec/README.md @@ -0,0 +1,3 @@ +# HELP WANTED + +If you are reading this file it is because specs (a.k.a. tests) have not been added. We welcome contributions. Do not fear; there is a first time for everything.