github_actions: Add support for Composite Actions

Composite Actions follow a very similar structure to the "normal"
GitHub Actions, with the exception that they must be located in a
file called action.yml (or .yaml) in the root of the repository.

Because of this similarity the file_parser and the file_updater does
not need any tweaking, and it is only the file_fetcher that needs to
be able to search beyond the .github/workflows folder.

Since GitHub only looks for a single file in the root directory of
the repository we can limit the expansion to the search to the same
strict parameters so we don't accidentally find a lot of other stuff.

Resolves dependabot#4178

Author: JonasAlfredsson

github_actions/lib/dependabot/github_actions/file_fetcher.rb

@@ -6,12 +6,14 @@
 module Dependabot
   module GithubActions
     class FileFetcher < Dependabot::FileFetchers::Base
+      FILENAME_PATTERN = /^(\.github|action.ya?ml)$/.freeze
+
       def self.required_files_in?(filenames)
-        filenames.any? { |f| f == ".github" }
+        filenames.any? { |f| f.match?(FILENAME_PATTERN) }
       end
 
       def self.required_files_message
-        "Repo must contain a .github/workflows directory with YAML files."
+        "Repo must contain a .github/workflows directory with YAML files or an action.yml in the root"
       end
 
       private
@@ -40,7 +42,8 @@ def workflow_files
         @workflow_files ||=
           repo_contents(dir: ".github/workflows", raise_errors: false).
           select { |f| f.type == "file" && f.name.match?(/\.ya?ml$/) }.
-          map { |f| fetch_file_from_host(".github/workflows/#{f.name}") }
+          map { |f| fetch_file_from_host(".github/workflows/#{f.name}") } \
+          + [fetch_file_if_present("action.yml"), fetch_file_if_present("action.yaml")].compact
       end
 
       def referenced_local_workflow_files

github_actions/spec/dependabot/github_actions/file_fetcher_spec.rb

@@ -31,13 +31,20 @@
 
   before { allow(file_fetcher_instance).to receive(:commit).and_return("sha") }
 
-  context "with a workflow file" do
+  context "with workflow files" do
     before do
+      stub_request(:get, url + "?ref=sha").
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture("github", "contents_githubaction_repo_base_basic.json"),
+          headers: { "content-type" => "application/json" }
+        )
       stub_request(:get, url + ".github/workflows?ref=sha").
         with(headers: { "Authorization" => "token token" }).
         to_return(
           status: 200,
-          body: fixture("github", "contents_workflows_repo.json"),
+          body: fixture("github", "contents_githubaction_repo_workflows.json"),
           headers: { "content-type" => "application/json" }
         )
 
@@ -62,7 +69,7 @@
     end
 
     let(:workflow_file_fixture) do
-      fixture("github", "contents_workflow_file.json")
+      fixture("github", "contents_githubaction_workflow_file.json")
     end
 
     it "fetches the workflow files" do
@@ -105,10 +112,52 @@
           to match_array(%w(.github/workflows/integration-workflow.yml))
       end
     end
+
+    context "with an additional composite action file" do
+      let(:composite_action_file_fixture) do
+        fixture("github", "contents_githubaction_composite_file.json")
+      end
+
+      before do
+        stub_request(:get, url + "?ref=sha").
+          with(headers: { "Authorization" => "token token" }).
+          to_return(
+            status: 200,
+            body: fixture("github", "contents_githubaction_repo_base_composite.json"),
+            headers: { "content-type" => "application/json" }
+          )
+
+        stub_request(
+          :get,
+          File.join(url, "action.yml?ref=sha")
+        ).with(headers: { "Authorization" => "token token" }).
+          to_return(
+            status: 200,
+            body: composite_action_file_fixture,
+            headers: { "content-type" => "application/json" }
+          )
+      end
+
+      it "fetches all action files" do
+        expect(file_fetcher_instance.files.map(&:name)).
+          to match_array(
+            %w(action.yml
+               .github/workflows/sherlock-workflow.yaml
+               .github/workflows/integration-workflow.yml)
+          )
+      end
+    end
   end
 
   context "with an empty workflow directory" do
     before do
+      stub_request(:get, url + "?ref=sha").
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture("github", "contents_githubaction_repo_base_basic.json"),
+          headers: { "content-type" => "application/json" }
+        )
       stub_request(:get, url + ".github/workflows?ref=sha").
         with(headers: { "Authorization" => "token token" }).
         to_return(
@@ -126,6 +175,13 @@
 
   context "with a repo without a .github/workflows directory" do
     before do
+      stub_request(:get, url + "?ref=sha").
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: "[]",
+          headers: { "content-type" => "application/json" }
+        )
       stub_request(:get, url + ".github/workflows?ref=sha").
         with(headers: { "Authorization" => "token token" }).
         to_return(
@@ -140,4 +196,44 @@
         to raise_error(Dependabot::DependencyFileNotFound)
     end
   end
+
+  context "with a repo containg only a composite action file" do
+    let(:composite_action_file_fixture) do
+      fixture("github", "contents_githubaction_composite_file.json")
+    end
+
+    before do
+      stub_request(:get, url + "?ref=sha").
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: fixture("github", "contents_githubaction_repo_base_composite.json"),
+          headers: { "content-type" => "application/json" }
+        )
+      stub_request(:get, url + ".github/workflows?ref=sha").
+        with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 404,
+          body: fixture("github", "not_found.json"),
+          headers: { "content-type" => "application/json" }
+        )
+
+      stub_request(
+        :get,
+        File.join(url, "action.yml?ref=sha")
+      ).with(headers: { "Authorization" => "token token" }).
+        to_return(
+          status: 200,
+          body: composite_action_file_fixture,
+          headers: { "content-type" => "application/json" }
+        )
+    end
+
+    it "fetches the composite action file" do
+      expect(file_fetcher_instance.files.map(&:name)).
+        to match_array(
+          %w(action.yml)
+        )
+    end
+  end
 end

github_actions/spec/fixtures/github/contents_githubaction_composite_file.json

@@ -0,0 +1,18 @@
+{
+  "name": "action.yml",
+  "path": "action.yml",
+  "sha": "37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+  "size": 1179,
+  "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/action.yml?ref=main",
+  "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/action.yml",
+  "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+  "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/action.yml",
+  "type": "file",
+  "content": "bmFtZTogJ0NoZWNrb3V0IFFFTVUgQnVpbGR4JwpkZXNjcmlwdGlvbjogJ0No\nZWNrcyBvdXQgdGhlIHJlcG9zaXRvcnksIGNvbmZpZ3VyZXMgUUVNVSBhbmQg\nRG9ja2VyIEJ1aWxkeCBmb3IgYWxsIGF2YWlsYWJsZSBhcmNoaXRlY3R1cmVz\nIGJlZm9yZSBsb2dnaW5nIGluIHRvIERvY2tlckh1YicKYXV0aG9yOiAnSm9u\nYXNBbGZyZWRzc29uJwpicmFuZGluZzoKICBpY29uOiAnbGlmZS1idW95Jwog\nIGNvbG9yOiAnYmx1ZScKCmlucHV0czoKICBzaG91bGRfbG9naW46CiAgICBk\nZXNjcmlwdGlvbjogJ0Jvb2xlYW4gc3RhdGluZyBpZiB3ZSBzaG91bGQgbG9n\naW4gdG8gRG9ja2VySHViIG9yIG5vdCcKICAgICMgV2h5IHN0cmluZz8gLT4g\naHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvcnVubmVyL2lzc3Vlcy8xNDgz\nCiAgICB0eXBlOiBzdHJpbmcKICAgIHJlcXVpcmVkOiBmYWxzZQogICAgZGVm\nYXVsdDogJ3RydWUnCiAgdXNlcm5hbWU6CiAgICBkZXNjcmlwdGlvbjogJ1Vz\nZXJuYW1lIHVzZWQgdG8gbG9naW4gdG8gRG9ja2VySHViJwogICAgdHlwZTog\nc3RyaW5nCiAgICByZXF1aXJlZDogZmFsc2UKICBwYXNzd29yZDoKICAgIGRl\nc2NyaXB0aW9uOiAnUGFzc3dvcmQgb3IgcGVyc29uYWwgYWNjZXNzIHRva2Vu\nIHVzZWQgdG8gbG9naW4gdG8gRG9ja2VySHViJwogICAgdHlwZTogc3RyaW5n\nCiAgICByZXF1aXJlZDogZmFsc2UKCnJ1bnM6CiAgdXNpbmc6ICJjb21wb3Np\ndGUiCiAgc3RlcHM6CiAgICAtIG5hbWU6IENoZWNrb3V0IHRoZSByZXBvc2l0\nb3J5CiAgICAgIHVzZXM6IGFjdGlvbnMvY2hlY2tvdXRAdjIuNC4wCgogICAg\nLSBuYW1lOiBTZXQgdXAgUUVNVSBlbnZpcm9ubWVudAogICAgICB1c2VzOiBk\nb2NrZXIvc2V0dXAtcWVtdS1hY3Rpb25AdjEuMi4wCgogICAgLSBuYW1lOiBT\nZXQgdXAgRG9ja2VyIEJ1aWxkeAogICAgICB1c2VzOiBkb2NrZXIvc2V0dXAt\nYnVpbGR4LWFjdGlvbkB2MS42LjAKCiAgICAtIG5hbWU6IExvZ2luIHRvIERv\nY2tlckh1YgogICAgICBpZjogJHt7IGZyb21KU09OKGlucHV0cy5zaG91bGRf\nbG9naW4pIH19CiAgICAgIHVzZXM6IGRvY2tlci9sb2dpbi1hY3Rpb25AdjEu\nMTIuMAogICAgICB3aXRoOgogICAgICAgIHVzZXJuYW1lOiAke3sgaW5wdXRz\nLnVzZXJuYW1lIH19CiAgICAgICAgcGFzc3dvcmQ6ICR7eyBpbnB1dHMucGFz\nc3dvcmQgfX0K\n",
+  "encoding": "base64",
+  "_links": {
+    "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/action.yml?ref=main",
+    "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+    "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/action.yml"
+  }
+}

github_actions/spec/fixtures/github/contents_githubaction_repo_base_basic.json

@@ -0,0 +1,50 @@
+[
+  {
+    "name": ".github",
+    "path": ".github",
+    "sha": "f9e54abedd85bf7ae17745e2b234b884b624f39a",
+    "size": 0,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/.github?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/tree/main/.github",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/trees/f9e54abedd85bf7ae17745e2b234b884b624f39a",
+    "download_url": null,
+    "type": "dir",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/.github?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/trees/f9e54abedd85bf7ae17745e2b234b884b624f39a",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/tree/main/.github"
+    }
+  },
+  {
+    "name": "LICENSE",
+    "path": "LICENSE",
+    "sha": "261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+    "size": 11357,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/LICENSE?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/LICENSE",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+    "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/LICENSE",
+    "type": "file",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/LICENSE?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/LICENSE"
+    }
+  },
+  {
+    "name": "README.md",
+    "path": "README.md",
+    "sha": "9a701d80134e36d07ac1e9f9afef877a800543db",
+    "size": 1147,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/README.md?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/README.md",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/9a701d80134e36d07ac1e9f9afef877a800543db",
+    "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/README.md",
+    "type": "file",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/README.md?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/9a701d80134e36d07ac1e9f9afef877a800543db",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/README.md"
+    }
+  }
+]

github_actions/spec/fixtures/github/contents_githubaction_repo_base_composite.json

@@ -0,0 +1,66 @@
+[
+  {
+    "name": ".github",
+    "path": ".github",
+    "sha": "f9e54abedd85bf7ae17745e2b234b884b624f39a",
+    "size": 0,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/.github?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/tree/main/.github",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/trees/f9e54abedd85bf7ae17745e2b234b884b624f39a",
+    "download_url": null,
+    "type": "dir",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/.github?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/trees/f9e54abedd85bf7ae17745e2b234b884b624f39a",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/tree/main/.github"
+    }
+  },
+  {
+    "name": "LICENSE",
+    "path": "LICENSE",
+    "sha": "261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+    "size": 11357,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/LICENSE?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/LICENSE",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+    "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/LICENSE",
+    "type": "file",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/LICENSE?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/LICENSE"
+    }
+  },
+  {
+    "name": "README.md",
+    "path": "README.md",
+    "sha": "9a701d80134e36d07ac1e9f9afef877a800543db",
+    "size": 1147,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/README.md?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/README.md",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/9a701d80134e36d07ac1e9f9afef877a800543db",
+    "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/README.md",
+    "type": "file",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/README.md?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/9a701d80134e36d07ac1e9f9afef877a800543db",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/README.md"
+    }
+  },
+  {
+    "name": "action.yml",
+    "path": "action.yml",
+    "sha": "37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+    "size": 1179,
+    "url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/action.yml?ref=main",
+    "html_url": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/action.yml",
+    "git_url": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+    "download_url": "https://raw.githubusercontent.com/JonasAlfredsson/checkout-qemu-buildx/main/action.yml",
+    "type": "file",
+    "_links": {
+      "self": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/contents/action.yml?ref=main",
+      "git": "https://api.github.com/repos/JonasAlfredsson/checkout-qemu-buildx/git/blobs/37371fc877bfbfefc715f1dac0e1166e6c9d380c",
+      "html": "https://github.com/JonasAlfredsson/checkout-qemu-buildx/blob/main/action.yml"
+    }
+  }
+]