Merge branch 'master' into fix-vulns

Author: cjmartian

.github/dependabot.template.yml

@@ -0,0 +1,19 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 20
+    vendor: true
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 20
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 20

.github/dependabot.yml

@@ -1,11 +1,20 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
+# This file was generated by the "Generate Dependabot Glob" action. Do not edit it directly.
+# Make changes to `.github/dependabot.template.yml` and a PR will be automatically created.
 version: 2
 updates:
-  - package-ecosystem: "bundler" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: bundler
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: daily
+    open-pull-requests-limit: 20
+    vendor: true
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 20
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 20

.github/workflows/add-dependabot-pr-to-project.yml

@@ -0,0 +1,22 @@
+---
+name: Assign Dependabot PR to Compute Foundation Project
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, reopened, labeled]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  add-to-project:
+    name: Add to Compute Foundation Project Board
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+        with:
+          project-url: https://github.com/orgs/github/projects/5753/ # Compute Foundation Project Board
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          labeled: dependencies,external-dependency

.github/workflows/generate-dependabot.yml

@@ -0,0 +1,27 @@
+---
+name: Generate dependabot.yml
+
+on:
+  push:
+  repository_dispatch:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate dependabot.yml
+        uses: Makeshift/generate-dependabot-glob-action@5cd45385ce6519f68d574aab9699832b3a5e5031 # v1.3.4
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        with:
+          title: '[Automated] Update dependabot.yml'
+          body: |
+            This PR was automatically generated by the generate-dependabot.yml workflow.

.github/workflows/main.yml

@@ -14,7 +14,7 @@ jobs:
         ruby-version: ["2.6"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       - name: Build container
         run: docker build . --file Dockerfile --tag octocatalog-diff:ruby${{matrix.ruby-version}} --build-arg RUBY_VERSION=${{matrix.ruby-version}} --build-arg PUPPET_VERSION=${{env.PUPPET_VERSION}}
       - name: Tests
@@ -33,7 +33,7 @@ jobs:
         ruby-version: ["2.6"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       - name: Build container
         run: docker build . --file Dockerfile --tag octocatalog-diff:ruby${{matrix.ruby-version}} --build-arg RUBY_VERSION=${{matrix.ruby-version}} --build-arg PUPPET_VERSION=${{env.PUPPET_VERSION}}
       - name: Tests
@@ -52,7 +52,7 @@ jobs:
         ruby-version: ["2.6"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       - name: Build container
         run: docker build . --file Dockerfile --tag octocatalog-diff:ruby${{matrix.ruby-version}} --build-arg RUBY_VERSION=${{matrix.ruby-version}} --build-arg PUPPET_VERSION=${{env.PUPPET_VERSION}}
       - name: Tests
@@ -71,7 +71,7 @@ jobs:
         ruby-version: ["2.6"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
       - name: Build container
         run: docker build . --file Dockerfile --tag octocatalog-diff:ruby${{matrix.ruby-version}} --build-arg RUBY_VERSION=${{matrix.ruby-version}} --build-arg PUPPET_VERSION=${{env.PUPPET_VERSION}}
       - name: Tests

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
               *.gem
           fi
       - name: Upload gem as action artifact
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         if: ${{ always() }}
         with:
           path: ./*.gem

doc/limitations.md

@@ -6,7 +6,7 @@ Testing of Puppet catalogs is faster than running the agent, but you need to be
 
     octocatalog-diff by default uses the facts reported from a node's more recent Puppet run. If you have made changes to custom facts, catalog testing will **NOT** be an adequate test of whether your custom facts worked. (You can still use octocatalog-diff to help predict changes to nodes based on changes to facts, by overriding facts on the command line.)
 
-1. Agents handle depenency ordering and implementation details
+1. Agents handle dependency ordering and implementation details
 
     The catalog defines the state of the system, but it's up to the agent to determine how to bring the system to a point that matches the catalog. The agent is responsible for order of operations and actually making the change.
 

lib/octocatalog-diff/catalog-util/builddir.rb

@@ -211,7 +211,7 @@ def install_enc(logger)
         enc_path = File.join(@tempdir, 'enc.sh')
         File.open(enc_path, 'w') do |f|
           f.write "#!/bin/sh\n"
-          f.write "cat <<-EOF\n"
+          f.write "cat <<-'EOF'\n"
           f.write enc_obj.content
           f.write "\nEOF\n"
         end

spec/octocatalog-diff/tests/catalog-util/builddir_spec.rb

@@ -796,7 +796,7 @@
         testobj = OctocatalogDiff::CatalogUtil::BuildDir.new(options, logger)
         enc = File.join(testobj.tempdir, 'enc.sh')
         expect(File.file?(enc)).to eq(true)
-        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-EOF\n---\n\nEOF\n")
+        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-'EOF'\n---\n\nEOF\n")
       end
     end
 
@@ -807,7 +807,7 @@
         testobj = OctocatalogDiff::CatalogUtil::BuildDir.new(options, logger)
         enc = File.join(testobj.tempdir, 'enc.sh')
         expect(File.file?(enc)).to eq(true)
-        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-EOF\n---\n\nEOF\n")
+        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-'EOF'\n---\n\nEOF\n")
       end
     end
 
@@ -818,7 +818,7 @@
         testobj = OctocatalogDiff::CatalogUtil::BuildDir.new(options, logger)
         enc = File.join(testobj.tempdir, 'enc.sh')
         expect(File.file?(enc)).to eq(true)
-        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-EOF\n---\n\nEOF\n")
+        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-'EOF'\n---\n\nEOF\n")
       end
     end
 
@@ -838,7 +838,7 @@
         testobj = OctocatalogDiff::CatalogUtil::BuildDir.new(options, logger)
         enc = File.join(testobj.tempdir, 'enc.sh')
         expect(File.file?(enc)).to eq(true)
-        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-EOF\n---\nclasses:\n  foo: {}\nparameters: {}\n\nEOF\n")
+        expect(File.read(enc)).to eq("#!/bin/sh\ncat <<-'EOF'\n---\nclasses:\n  foo: {}\nparameters: {}\n\nEOF\n")
       end
     end
   end