From 6c7a3b7226cd0001501557469676d38a13ad8bfb Mon Sep 17 00:00:00 2001 From: Rob Aiken Date: Thu, 19 Dec 2024 12:09:41 +0000 Subject: [PATCH] Improve error handling for missing dependency versions for github actions (#11144) --- common/lib/dependabot/errors.rb | 22 +++++++++++++++++++ .../dependabot/github_actions/file_parser.rb | 6 +++++ .../github_actions/file_parser_spec.rb | 21 ++++++++++++++++++ .../workflow_files/unresolved_version.yml | 7 ++++++ 4 files changed, 56 insertions(+) create mode 100644 github_actions/spec/fixtures/workflow_files/unresolved_version.yml diff --git a/common/lib/dependabot/errors.rb b/common/lib/dependabot/errors.rb index b2e9b3dae0..69393d6e4b 100644 --- a/common/lib/dependabot/errors.rb +++ b/common/lib/dependabot/errors.rb @@ -144,6 +144,11 @@ def self.parser_error_details(error) "error-type": "git_dependencies_not_reachable", "error-detail": { "dependency-urls": error.dependency_urls } } + when Dependabot::UnresolvableVersionError + { + "error-type": "unresolvable_version", + "error-detail": { dependencies: error.dependencies } + } when Dependabot::NotImplemented { "error-type": "not_implemented", @@ -661,6 +666,23 @@ def initialize(dependencies) end end + class UnresolvableVersionError < DependabotError + extend T::Sig + + sig { returns(T::Array[String]) } + attr_reader :dependencies + + sig { params(dependencies: T::Array[String]).void } + def initialize(dependencies) + @dependencies = dependencies + + msg = "Unable to determine semantic version from tags or commits for dependencies. " \ + "Dependencies must have a tag or commit that references a semantic version. " \ + "Affected dependencies: #{@dependencies.join(', ')}" + super(msg) + end + end + class GitDependenciesNotReachable < DependabotError extend T::Sig diff --git a/github_actions/lib/dependabot/github_actions/file_parser.rb b/github_actions/lib/dependabot/github_actions/file_parser.rb index ace623218b..4198ebc221 100644 --- a/github_actions/lib/dependabot/github_actions/file_parser.rb +++ b/github_actions/lib/dependabot/github_actions/file_parser.rb @@ -35,6 +35,12 @@ def parse dependency_set += workfile_file_dependencies(file) end + dependencies_without_version = dependency_set.dependencies.select { |dep| dep.version.nil? } + unless dependencies_without_version.empty? + raise UnresolvableVersionError, + dependencies_without_version.map(&:name) + end + dependency_set.dependencies end diff --git a/github_actions/spec/dependabot/github_actions/file_parser_spec.rb b/github_actions/spec/dependabot/github_actions/file_parser_spec.rb index 8314b3b795..6ee4d2e6bd 100644 --- a/github_actions/spec/dependabot/github_actions/file_parser_spec.rb +++ b/github_actions/spec/dependabot/github_actions/file_parser_spec.rb @@ -560,5 +560,26 @@ def mock_service_pack_request(nwo) end end end + + context "with an unresolvable version" do + let(:workflow_file_fixture_name) { "unresolved_version.yml" } + let(:service_pack_url) do + "https://github.com/taiki-e/install-action.git/info/refs" \ + "?service=git-upload-pack" + end + + before do + mock_service_pack_request("taiki-e/install-action") + end + + it "raises an UnresolvableVersionError error" do + expect { parser.parse }.to raise_error( + Dependabot::UnresolvableVersionError, + "Unable to determine semantic version from tags or commits for dependencies. " \ + "Dependencies must have a tag or commit that references a semantic version. " \ + "Affected dependencies: taiki-e/install-action" + ) + end + end end end diff --git a/github_actions/spec/fixtures/workflow_files/unresolved_version.yml b/github_actions/spec/fixtures/workflow_files/unresolved_version.yml new file mode 100644 index 0000000000..432e2bf232 --- /dev/null +++ b/github_actions/spec/fixtures/workflow_files/unresolved_version.yml @@ -0,0 +1,7 @@ +on: [push] + +name: Integration +jobs: + chore: + steps: + - uses: taiki-e/install-action@nextest