New "vNext" update script using dependabot-core updater; aligns update behaviour more closely with the GitHub Dependabot service

updater/.gitignore

@@ -1,3 +1,4 @@
 /.bundle/
 /spec/examples.txt
 /tmp/
+/job/

updater/bin/fetch_files.rb

@@ -0,0 +1,40 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+$LOAD_PATH.unshift(T.must(__dir__) + "/../lib")
+
+$stdout.sync = true
+
+require "dependabot/api_client"
+require "dependabot/environment"
+require "dependabot/service"
+require "dependabot/setup"
+require "dependabot/file_fetcher_command"
+require "debug" if ENV["DEBUG"]
+
+class UpdaterKilledError < StandardError; end
+
+trap("TERM") do
+  puts "Received SIGTERM"
+  error = UpdaterKilledError.new("Updater process killed with SIGTERM")
+  tags = { "gh.dependabot_api.update_job.id": ENV.fetch("DEPENDABOT_JOB_ID", nil) }
+
+  api_client =
+    Dependabot::ApiClient.new(
+      Dependabot::Environment.api_url,
+      Dependabot::Environment.job_id,
+      Dependabot::Environment.job_token
+    )
+  Dependabot::Service.new(client: api_client).capture_exception(error: error, tags: tags)
+  exit
+end
+
+begin
+  RubyVM::YJIT.enable if Dependabot::Environment.job_id.to_i.even?
+
+  Dependabot::FileFetcherCommand.new.run
+rescue Dependabot::RunFailure
+  exit 1
+end

updater/bin/run.sh

@@ -1,16 +1,9 @@
 #!/bin/bash
 set -e
 
-# This is a WORKAROUND for https://github.com/ruby/resolv/issues/23
-# see also https://github.com/tinglesoftware/dependabot-azure-devops/pull/369
-# see also https://github.com/tinglesoftware/dependabot-azure-devops/pull/834
-if [ -n "$WORKAROUND_CMD" ]; then
-    eval "$WORKAROUND_CMD"
-fi
-
 command="$1"
 if [ -z "$command" ]; then
-  echo "usage: run [update_script]"
+  echo "usage: run [fetch_files|update_files|update_script|update_script_vnext]"
   exit 1
 fi
 
@@ -20,4 +13,13 @@ export HEX_CACERTS_PATH=/etc/ssl/certs/ca-certificates.crt
 # Tell python to use the system-wide CA bundle
 export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 
+# This is a WORKAROUND for fixing various quirks that might exist within the container environment that we don't have much control over.
+# see: https://github.com/ruby/resolv/issues/23 (Ruby)
+#      https://github.com/tinglesoftware/dependabot-azure-devops/pull/369 (Ruby)
+#      https://github.com/tinglesoftware/dependabot-azure-devops/pull/834 (Ruby)
+#      https://github.com/tinglesoftware/dependabot-azure-devops/issues/921#issuecomment-2162273558 (NuGet)
+if [ -n "$WORKAROUND_CMD" ]; then
+  eval "$WORKAROUND_CMD"
+fi
+
 bundle exec ruby "bin/${command}.rb"

updater/bin/update_files.rb

@@ -0,0 +1,50 @@
+# typed: true
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(__dir__ + "/../lib")
+
+$stdout.sync = true
+
+require "dependabot/api_client"
+require "dependabot/environment"
+require "dependabot/service"
+require "dependabot/setup"
+require "dependabot/update_files_command"
+require "debug" if ENV["DEBUG"]
+
+flamegraph = ENV.fetch("FLAMEGRAPH", nil)
+if flamegraph
+  require "stackprof"
+  require "flamegraph"
+end
+
+class UpdaterKilledError < StandardError; end
+
+trap("TERM") do
+  puts "Received SIGTERM"
+  error = UpdaterKilledError.new("Updater process killed with SIGTERM")
+  tags = { "gh.dependabot_api.update_job.id": ENV.fetch("DEPENDABOT_JOB_ID", nil) }
+
+  api_client =
+    Dependabot::ApiClient.new(
+      Dependabot::Environment.api_url,
+      Dependabot::Environment.job_id,
+      Dependabot::Environment.job_token
+    )
+  Dependabot::Service.new(client: api_client).capture_exception(error: error, tags: tags)
+  exit
+end
+
+begin
+  RubyVM::YJIT.enable if Dependabot::Environment.job_id.to_i.even?
+
+  if flamegraph
+    Flamegraph.generate("/tmp/dependabot-flamegraph.html") do
+      Dependabot::UpdateFilesCommand.new.run
+    end
+  else
+    Dependabot::UpdateFilesCommand.new.run
+  end
+rescue Dependabot::RunFailure
+  exit 1
+end

updater/bin/update_script.rb

@@ -548,7 +548,7 @@ def show_diff(original_file, updated_file)
 )
 user_id = azure_client.get_user_id
 target_branch_name = $options[:branch] || azure_client.fetch_default_branch($source.repo)
-active_pull_requests = azure_client.pull_requests_active(user_id, target_branch_name)
+active_pull_requests = azure_client.pull_requests_active_for_user_and_targeting_branch(user_id, target_branch_name)
 
 pull_requests_count = 0
 
@@ -920,7 +920,7 @@ def show_diff(original_file, updated_file)
 # look for pull requests that are no longer needed to be abandoned
 if $options[:close_unwanted]
   puts "Looking for pull requests that are no longer needed."
-  active_pull_requests = azure_client.pull_requests_active(user_id, target_branch_name)
+  active_pull_requests = azure_client.pull_requests_active_for_user_and_targeting_branch(user_id, target_branch_name)
   active_pull_requests.each do |pr|
     pr_id = pr["pullRequestId"]
     title = pr["title"]

updater/bin/update_script_vnext.rb

@@ -0,0 +1,29 @@
+# typed: strict
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(__dir__ + "/../lib")
+
+# Ensure logs are output immediately. Useful when running in certain hosts like ContainerGroups
+$stdout.sync = true
+
+require "tinglesoftware/dependabot/setup"
+require "tinglesoftware/dependabot/job"
+require "tinglesoftware/dependabot/commands/update_all_dependencies_synchronous_command"
+
+ENV["UPDATER_ONE_CONTAINER"] = "true" # The full end-to-end update will happen in a single container
+ENV["UPDATER_DETERMINISTIC"] = "true" # The list of dependencies to update will be consistent across multiple runs
+
+begin
+  TingleSoftware::Dependabot::Commands::UpdateAllDependenciesSynchronousCommand.new(
+    job: TingleSoftware::Dependabot::Job.new(
+      # Override Dependabot updater options (feature flags) required by this job
+      experiments: {
+        # Required for correctly detecting existing PRs when refreshing group dependency updates.
+        # Without this, Dependabot::DependencyGroup.matches_existing_pr? will always return false for group updates.
+        "dependency_has_directory" => true
+      }
+    )
+  ).run
+rescue ::Dependabot::RunFailure
+  exit 1
+end