Merge branch 'main' into jurre/getting-jitty-with-it

.github/workflows/images-latest.yml

@@ -1,7 +1,7 @@
 name: Latest images
 env:
   UPDATER_IMAGE: "ghcr.io/dependabot/dependabot-updater-"
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - main
@@ -27,6 +27,7 @@ jobs:
     needs: date-version
     permissions:
       contents: read
+      id-token: write
       packages: write
     strategy:
       fail-fast: false
@@ -60,6 +61,8 @@ jobs:
         with:
           submodules: recursive
 
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
       - name: Build the dependabot-updater-<ecosystem> image
         # despite the script input being $NAME, the resulting image is dependabot-updater-${ECOSYSTEM}
         run: script/build ${NAME}
@@ -74,7 +77,10 @@ jobs:
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Push the images to GHCR
-        run: docker push --all-tags "${UPDATER_IMAGE}${ECOSYSTEM}"
+        run: |
+          docker push --all-tags "${UPDATER_IMAGE}${ECOSYSTEM}"
+          # All tags should resolve to the same digest so we only need to look up one of them
+          cosign sign --yes $(cosign triangulate --type=digest "${UPDATER_IMAGE}${ECOSYSTEM}:latest")
 
       - name: Set summary
         run: |

.github/workflows/images-updater-core.yml

@@ -1,7 +1,7 @@
 name: Updater-Core image
 env:
   UPDATER_CORE_IMAGE: "ghcr.io/dependabot/dependabot-updater-core"
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - main
@@ -14,12 +14,16 @@ jobs:
     if: github.repository == 'dependabot/dependabot-core'
     permissions:
       contents: read
+      id-token: write
       packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
       - name: Build dependabot-updater-core image
         run: script/build common
       - name: Log in to GHCR
@@ -28,6 +32,8 @@ jobs:
       - name: Push latest image
         run: |
           docker push "$UPDATER_CORE_IMAGE:latest"
+          cosign sign --yes $(cosign triangulate --type=digest "$UPDATER_CORE_IMAGE:latest")
+
       - name: Push tagged image
         if: contains(github.ref, 'refs/tags')
         run: |

Gemfile

@@ -24,7 +24,7 @@ gem "dependabot-swift", path: "swift"
 gem "dependabot-terraform", path: "terraform"
 
 # Sorbet
-gem "sorbet", "0.5.11353", group: :development
+gem "sorbet", "0.5.11361", group: :development
 gem "tapioca", "0.13.3", require: false, group: :development
 
 common_gemspec = File.expand_path("common/dependabot-common.gemspec", __dir__)

Gemfile.lock

@@ -235,7 +235,7 @@ GEM
     parallel_tests (4.4.0)
       parallel
     parseconfig (1.0.8)
-    parser (3.3.0.5)
+    parser (3.3.1.0)
       ast (~> 2.4.1)
       racc
     prism (0.24.0)
@@ -288,8 +288,8 @@ GEM
       rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.2)
-      parser (>= 3.3.0.4)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
     rubocop-capybara (2.20.0)
       rubocop (~> 1.41)
     rubocop-factory_bot (2.25.1)
@@ -304,7 +304,7 @@ GEM
       rubocop-rspec_rails (~> 2.28)
     rubocop-rspec_rails (2.28.3)
       rubocop (~> 1.40)
-    rubocop-sorbet (0.8.2)
+    rubocop-sorbet (0.8.3)
       rubocop (>= 0.90.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
@@ -318,15 +318,15 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    sorbet (0.5.11353)
-      sorbet-static (= 0.5.11353)
-    sorbet-runtime (0.5.11353)
-    sorbet-static (0.5.11353-aarch64-linux)
-    sorbet-static (0.5.11353-universal-darwin)
-    sorbet-static (0.5.11353-x86_64-linux)
-    sorbet-static-and-runtime (0.5.11353)
-      sorbet (= 0.5.11353)
-      sorbet-runtime (= 0.5.11353)
+    sorbet (0.5.11361)
+      sorbet-static (= 0.5.11361)
+    sorbet-runtime (0.5.11361)
+    sorbet-static (0.5.11361-aarch64-linux)
+    sorbet-static (0.5.11361-universal-darwin)
+    sorbet-static (0.5.11361-x86_64-linux)
+    sorbet-static-and-runtime (0.5.11361)
+      sorbet (= 0.5.11361)
+      sorbet-runtime (= 0.5.11361)
     spoom (1.3.0)
       erubi (>= 1.10.0)
       prism (>= 0.19.0)
@@ -401,7 +401,7 @@ DEPENDENCIES
   rubocop-rspec (~> 2.29.1)
   rubocop-sorbet (~> 0.8.1)
   simplecov (~> 0.22.0)
-  sorbet (= 0.5.11353)
+  sorbet (= 0.5.11361)
   tapioca (= 0.13.3)
   turbo_tests (~> 2.2.0)
   vcr (~> 6.1)

nuget/lib/dependabot/nuget/file_parser.rb

@@ -21,6 +21,7 @@ class FileParser < Dependabot::FileParsers::Base
       def parse
         workspace_path = project_files.first&.directory
         return [] unless workspace_path
+        return [] unless repo_contents_path
 
         # `workspace_path` is the only unique value here so we use it as the cache key
         cache = T.let(CacheManager.cache("file_parser.parse"), T::Hash[String, T::Array[Dependabot::Dependency]])

python/helpers/requirements.txt

@@ -3,7 +3,7 @@ pip-tools==7.4.1
 flake8==7.0.0
 hashin==1.0.1
 pipenv==2023.12.1
-plette==0.4.4
+plette==2.0.2
 poetry==1.8.2
 # TODO: Replace 3p package `toml` with 3.11's new stdlib `tomllib` once we drop support for Python 3.10.
 toml==0.10.2

script/_common

@@ -41,6 +41,10 @@ function docker_build() {
     export DEPENDABOT_USER_GID=1000
   fi
 
+  # Only check Docker Content Trust for the updater-core image
+  # shellcheck disable=SC2034 # Used implicitly in docker build
+  DOCKER_CONTENT_TRUST=1
+
   # shellcheck disable=SC2086  # as $DOCKER_BUILD_ARGS relies on word-splitting
   docker build \
     $DOCKER_BUILD_ARGS \
@@ -53,6 +57,9 @@ function docker_build() {
     -f Dockerfile.updater-core \
     .
 
+  # We don't sign the updater image with Notary, so disable Docker Content Trust for remaining builds
+  unset DOCKER_CONTENT_TRUST
+
   export UPDATER_IMAGE_NAME="$UPDATER_IMAGE$TAG"
 
   # shellcheck disable=SC2086  # as $DOCKER_BUILD_ARGS relies on word-splitting