Merge branch 'main' into patch-13

dependabot · Sep 26, 2024 · 74c0d87 · 74c0d87
2 parents aef7c68 + 60e6cba
commit 74c0d87
Show file tree

Hide file tree

Showing 402 changed files with 39,112 additions and 6,161 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -25,3 +25,5 @@ git.store
 Dockerfile*
 *.md
 CODEOWNERS
+**/.vs
+**/NuGetUpdater/artifacts
diff --git a/.github/issue-labeler.yml b/.github/issue-labeler.yml
@@ -17,7 +17,7 @@
     - '(elm)'
 
 "L: git:submodules":
-    - '(git|submodules)'
+    - '(submodules)'
 
 "L: github:actions":
     - '(actions)'

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,8 +1,5 @@
 name: Specs
 on:  # yamllint disable-line rule:truthy
-  push:
-    branches:
-      - "main"
   pull_request:
   schedule:
     - cron: "0 0 * * *"
@@ -49,6 +46,7 @@ jobs:
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
         with:
+          token: '' # use git commands to avoid excessive rate limit usage
           filters: .github/ci-filters.yml
 
       - name: Build ecosystem image
@@ -92,7 +90,7 @@ jobs:
       BUNDLE_GEMFILE: updater/Gemfile
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+      - uses: ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0
         with:
           bundler-cache: true
       - run: ./bin/lint
@@ -111,9 +109,9 @@ jobs:
       - name: Build ecosystem image
         run: script/build silent
       - name: Setup Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: 1.21
+          go-version: 1.22
       - name: Download Dependabot CLI
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -12,8 +12,6 @@
 name: "CodeQL"
 
 on:  # yamllint disable-line rule:truthy
-  push:
-    branches: [ main ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]
@@ -53,7 +51,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL (ruby)
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           languages: ${{ matrix.language }}
           config: |
@@ -63,15 +61,15 @@ jobs:
         if: matrix.language == 'ruby'
 
       - name: Initialize CodeQL (others)
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           languages: ${{ matrix.language }}
         if: matrix.language != 'ruby'
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -85,4 +83,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -2,8 +2,6 @@
 name: Codespell
 
 on:  # yamllint disable-line rule:truthy
-  push:
-    branches: [main]
   pull_request:
     branches: [main]
 

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,4 +22,4 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Perform Dependency Review
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/gems-bump-version.yml b/.github/workflows/gems-bump-version.yml
@@ -31,7 +31,7 @@ jobs:
           ref: "main"
 
       # bump-version.rb needs bundler
-      - uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+      - uses: ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0
         with:
           # Use the version of bundler specified in `updater/Gemfile.lock`.
           # Otherwise the generated PR will change `BUNDLED WITH` in

diff --git a/.github/workflows/gems-release-to-rubygems.yml b/.github/workflows/gems-release-to-rubygems.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+      - uses: ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0
       - run: |
           [ -d ~/.gem ] || mkdir ~/.gem
           echo "---" > ~/.gem/credentials

diff --git a/.github/workflows/scorecards.yaml b/.github/workflows/scorecards.yaml
@@ -30,6 +30,6 @@ jobs:
           results_format: sarif
           publish_results: true
 
-      - uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+      - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -3,8 +3,6 @@ name: Smoke
 
 on: # yamllint disable-line rule:truthy
   workflow_dispatch:
-  push:
-    branches: ["main"]
   pull_request:
     paths-ignore:
       - docs/**
@@ -31,6 +29,7 @@ jobs:
         if: github.event_name != 'workflow_dispatch'
         id: changes
         with:
+          token: "" # use git commands to avoid excessive rate limit usage
           filters: .github/smoke-filters.yml
 
       - name: Generate suites to run

diff --git a/.github/workflows/sorbet.yml b/.github/workflows/sorbet.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: ruby/setup-ruby@3a77c29278ae80936b4cb030fefc7d21c96c786f # v1.185.0
+      - uses: ruby/setup-ruby@161cd54b698f1fb3ea539faab2e036d409550e3c # v1.187.0
         with:
           bundler-cache: true
 

diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,6 @@ coverage/
 # Ignore spoom coverage report
 spoom_data/
 spoom_report.html
+.vs/
+# Ignore VSCode C# Dev Kit
+**/.mono/**/values.xml
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -19,6 +19,7 @@ By submitting a contribution, you agree that contribution is licensed to GitHub
 4. Add [tests for it](README.md#running-tests). This is important so we don't break it in a future version unintentionally.
 5. Ensure your code is well-documented and easy to understand.
 6. Send a pull request. The tests will run on it automatically, so don't worry if you couldn't get them running locally.
+7. If you are helping bump a version or add new ecosystem support to Dependabot, please file a corresponding PR for the change in the [GitHub docs repo](https://docs.github.com/en/contributing/collaborating-on-github-docs/about-contributing-to-github-docs). The list of supported package manager versions lives [here](https://github.com/github/docs/blob/main/data/reusables/dependabot/supported-package-managers.md). The rest of the Dependabot docs are primarily in [this directory](https://github.com/github/docs/tree/main/content/code-security/dependabot) and [this directory](https://github.com/github/docs/tree/main/data/reusables/dependabot).
 
 ## Project layout
 
@@ -35,7 +36,7 @@ struggling to understand how anything works please don't hesitate to create an i
 
 ## Contributing new ecosystems
 
-If you are an ecosystem maintainer and are interested in integrating with Dependabot, and are willing to help provide the expertise necessary to build and support it, please open an issue and let us know.
+If you are an ecosystem maintainer and are interested in integrating with Dependabot, and are willing to help provide the expertise necessary to build and support it, please open an issue and let us know so that we can discuss.
 
 ### What's next?
 

diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core
@@ -118,7 +118,7 @@ WORKDIR $DEPENDABOT_HOME/dependabot-updater
 # Note that RubyGems & Bundler versions are currently released in sync, but
 # RubyGems version is one major ahead. So when bumping to RubyGems 3.y.z, Bundler
 # version will jump to 2.y.z
-ARG RUBYGEMS_VERSION=3.5.14
+ARG RUBYGEMS_VERSION=3.5.16
 RUN gem update --system $RUBYGEMS_VERSION
 
 RUN bundle config set --global build.psych --with-libyaml-source-dir=$DEPENDABOT_HOME/src/libyaml/yaml-$LIBYAML_VERSION && \

diff --git a/Gemfile b/Gemfile
@@ -41,6 +41,7 @@ deps_shared_with_common = %w(
   rubocop-sorbet
   simplecov
   stackprof
+  strscan
   turbo_tests
   vcr
   webmock

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,20 +1,20 @@
 PATH
   remote: bundler
   specs:
-    dependabot-bundler (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-bundler (0.278.0)
+      dependabot-common (= 0.278.0)
       parallel (~> 1.24)
 
 PATH
   remote: cargo
   specs:
-    dependabot-cargo (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-cargo (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: common
   specs:
-    dependabot-common (0.265.0)
+    dependabot-common (0.278.0)
       aws-sdk-codecommit (~> 1.28)
       aws-sdk-ecr (~> 1.5)
       bundler (>= 1.16, < 3.0.0)
@@ -23,10 +23,10 @@ PATH
       excon (~> 0.109)
       faraday (= 2.7.11)
       faraday-retry (= 2.2.0)
-      gitlab (= 4.19.0)
+      gitlab (= 5.0.0)
       json (< 2.7)
       nokogiri (~> 1.8)
-      octokit (>= 4.6, < 7.0)
+      octokit (>= 4.6, < 8.0)
       opentelemetry-sdk (~> 1.3)
       parser (>= 2.5, < 4.0)
       psych (~> 5.0)
@@ -37,107 +37,107 @@ PATH
 PATH
   remote: composer
   specs:
-    dependabot-composer (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-composer (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: devcontainers
   specs:
-    dependabot-devcontainers (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-devcontainers (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: docker
   specs:
-    dependabot-docker (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-docker (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: elm
   specs:
-    dependabot-elm (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-elm (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: git_submodules
   specs:
-    dependabot-git_submodules (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-git_submodules (0.278.0)
+      dependabot-common (= 0.278.0)
       parseconfig (~> 1.0, < 1.1.0)
 
 PATH
   remote: github_actions
   specs:
-    dependabot-github_actions (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-github_actions (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: go_modules
   specs:
-    dependabot-go_modules (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-go_modules (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: gradle
   specs:
-    dependabot-gradle (0.265.0)
-      dependabot-common (= 0.265.0)
-      dependabot-maven (= 0.265.0)
+    dependabot-gradle (0.278.0)
+      dependabot-common (= 0.278.0)
+      dependabot-maven (= 0.278.0)
 
 PATH
   remote: hex
   specs:
-    dependabot-hex (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-hex (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: maven
   specs:
-    dependabot-maven (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-maven (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: npm_and_yarn
   specs:
-    dependabot-npm_and_yarn (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-npm_and_yarn (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: nuget
   specs:
-    dependabot-nuget (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-nuget (0.278.0)
+      dependabot-common (= 0.278.0)
       rubyzip (>= 2.3.2, < 3.0)
 
 PATH
   remote: pub
   specs:
-    dependabot-pub (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-pub (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: python
   specs:
-    dependabot-python (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-python (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: silent
   specs:
-    dependabot-silent (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-silent (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: swift
   specs:
-    dependabot-swift (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-swift (0.278.0)
+      dependabot-common (= 0.278.0)
 
 PATH
   remote: terraform
   specs:
-    dependabot-terraform (0.265.0)
-      dependabot-common (= 0.265.0)
+    dependabot-terraform (0.278.0)
+      dependabot-common (= 0.278.0)
 
 GEM
   remote: https://rubygems.org/
@@ -185,7 +185,7 @@ GEM
     faraday-net_http (3.0.2)
     faraday-retry (2.2.0)
       faraday (~> 2.0)
-    gitlab (4.19.0)
+    gitlab (5.0.0)
       httparty (~> 0.20)
       terminal-table (>= 1.5.1)
     gpgme (2.0.23)
@@ -417,4 +417,4 @@ DEPENDENCIES
   webrick (>= 1.7)
 
 BUNDLED WITH
-   2.5.14
+   2.5.16