Support for Grouped Updates

README.md

@@ -84,6 +84,8 @@ Subsequent actions will have access to the following outputs:
   - If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).
 - `steps.dependabot-metadata.outputs.maintainer-changes`
   - Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
+- `steps.dependabot-metadata.outputs.dependency-group`
+  - The dependency group that the PR is associated with (otherwise it is an empty string).
 
 **Note:** By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains
 **only** Dependabot-created commits. To override, see `skip-commit-verification` / `skip-verification`.

src/dependabot/output.test.ts

@@ -20,6 +20,7 @@ const baseDependency = {
   newVersion: '',
   compatScore: 0,
   maintainerChanges: false,
+  dependencyGroup: '',
   alertState: '',
   ghsaId: '',
   cvss: 0
@@ -38,6 +39,7 @@ test('when given a single dependency it sets its values', async () => {
       newVersion: '1.1.3-beta',
       compatScore: 43,
       maintainerChanges: true,
+      dependencyGroup: '',
       alertState: 'FIXED',
       ghsaId: 'VERY_LONG_ID',
       cvss: 4.6

src/dependabot/output.ts

@@ -28,6 +28,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   const newVersion = firstDependency?.newVersion
   const compatScore = firstDependency?.compatScore
   const maintainerChanges = firstDependency?.maintainerChanges
+  const dependencyGroup = firstDependency?.dependencyGroup
   const alertState = firstDependency?.alertState
   const ghsaId = firstDependency?.ghsaId
   const cvss = firstDependency?.cvss
@@ -43,6 +44,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   core.info(`outputs.new-version: ${newVersion}`)
   core.info(`outputs.compatibility-score: ${compatScore}`)
   core.info(`outputs.maintainer-changes: ${maintainerChanges}`)
+  core.info(`outputs.dependency-group: ${dependencyGroup}`)
   core.info(`outputs.alert-state: ${alertState}`)
   core.info(`outputs.ghsa-id: ${ghsaId}`)
   core.info(`outputs.cvss: ${cvss}`)
@@ -59,6 +61,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
   core.setOutput('new-version', newVersion)
   core.setOutput('compatibility-score', compatScore)
   core.setOutput('maintainer-changes', maintainerChanges)
+  core.setOutput('dependency-group', dependencyGroup)
   core.setOutput('alert-state', alertState)
   core.setOutput('ghsa-id', ghsaId)
   core.setOutput('cvss', cvss)

src/dependabot/update_metadata.test.ts

@@ -61,6 +61,7 @@ test('it returns the updated dependency information when there is a yaml fragmen
   expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
   expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
   expect(updatedDependencies[0].cvss).toEqual(4.6)
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
 })
 
 test('it supports multiple dependencies within a single fragment', async () => {
@@ -122,6 +123,8 @@ test('it supports multiple dependencies within a single fragment', async () => {
   expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
   expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
   expect(updatedDependencies[0].cvss).toEqual(4.6)
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
 
   expect(updatedDependencies[1].dependencyName).toEqual('coffeescript')
   expect(updatedDependencies[1].dependencyType).toEqual('indirect')
@@ -135,6 +138,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
   expect(updatedDependencies[1].alertState).toEqual('')
   expect(updatedDependencies[1].ghsaId).toEqual('')
   expect(updatedDependencies[1].cvss).toEqual(0)
+  expect(updatedDependencies[1].dependencyGroup).toEqual('')
 })
 
 test('it returns the updated dependency information when there is a leading v in the commit message versions', async () => {
@@ -170,6 +174,50 @@ test('it returns the updated dependency information when there is a leading v in
   expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
   expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
   expect(updatedDependencies[0].cvss).toEqual(4.6)
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
+})
+
+test('it supports returning information about grouped updates', async () => {
+  const commitMessage =
+    'Bumps the docker group with 3 updates: [github.com/docker/cli](https://github.com/docker/cli), [github.com/docker/docker](https://github.com/docker/docker) and [github.com/moby/moby](https://github.com/moby/moby).\n' +
+    '\n' +
+    'Updates `github.com/docker/cli` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
+    '- [Commits](docker/cli@v24.0.1...v24.0.2)\n' +
+    '\n' +
+    'Updates `github.com/docker/docker` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
+    '- [Release notes](https://github.com/docker/docker/releases)\n' +
+    '- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
+    '\n' +
+    'Updates `github.com/moby/moby` from 24.0.1+incompatible to 24.0.2+incompatible\n' +
+    '- [Release notes](https://github.com/moby/moby/releases)\n' +
+    '- [Commits](moby/moby@v24.0.1...v24.0.2)\n' +
+    '\n' +
+    '---\n' +
+    'updated-dependencies:\n' +
+    '- dependency-name: github.com/docker/cli\n' +
+    '  dependency-type: direct:production\n' +
+    '  update-type: version-update:semver-patch\n' +
+    '  dependency-group: docker\n' +
+    '- dependency-name: github.com/docker/docker\n' +
+    '  dependency-type: direct:production\n' +
+    '  update-type: version-update:semver-patch\n' +
+    '  dependency-group: docker\n' +
+    '- dependency-name: github.com/moby/moby\n' +
+    '  dependency-type: direct:production\n' +
+    '  update-type: version-update:semver-patch\n' +
+    '  dependency-group: docker\n' +
+    '...\n' +
+    '\n' +
+    'Signed-off-by: dependabot[bot] <support@github.com>\n'
+
+  const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
+  const getScore = async () => Promise.resolve(43)
+  const updatedDependencies = await updateMetadata.parse(commitMessage, '', 'dependabot/docker/gh-base-image/docker-1234566789', 'main', getAlert, getScore)
+
+  expect(updatedDependencies).toHaveLength(3)
+
+  expect(updatedDependencies[0].dependencyName).toEqual('github.com/docker/cli')
+  expect(updatedDependencies[0].dependencyGroup).toEqual('docker')
 })
 
 test('it only returns information within the first fragment if there are multiple yaml documents', async () => {
@@ -211,6 +259,7 @@ test('it only returns information within the first fragment if there are multipl
   expect(updatedDependencies[0].alertState).toEqual('')
   expect(updatedDependencies[0].ghsaId).toEqual('')
   expect(updatedDependencies[0].cvss).toEqual(0)
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
 })
 
 test('it properly handles dependencies which contain slashes', async () => {
@@ -247,6 +296,7 @@ test('it properly handles dependencies which contain slashes', async () => {
   expect(updatedDependencies[0].alertState).toEqual('')
   expect(updatedDependencies[0].ghsaId).toEqual('')
   expect(updatedDependencies[0].cvss).toEqual(0)
+  expect(updatedDependencies[0].dependencyGroup).toEqual('')
 })
 
 test('calculateUpdateType should handle all paths', () => {

src/dependabot/update_metadata.ts

@@ -16,7 +16,8 @@
   prevVersion: string,
   newVersion: string,
   compatScore: number,
-  maintainerChanges: boolean
+  maintainerChanges: boolean,
+  dependencyGroup: string
 }
 
 export interface alertLookup {
@@ -31,6 +32,7 @@
   const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>v?\d[^ ]*) to (?<to>v?\d[^ ]*)\.$/m)
   const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>v?\d\S*) to \S*? ?(?<to>v?\d\S*)$/m)
   const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
+  const groupName = commitMessage.match(/dependency-group:\s(?<name>\S*)/m)
   const newMaintainer = !!body.match(/Maintainer changes/m)
   const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
   const scoreFn = getScore ?? (() => Promise.resolve(0))
@@ -43,6 +45,7 @@
     const chunks = branchName.split(delim)
     const prev = bumpFragment?.groups?.from ?? (updateFragment?.groups?.from ?? '')
     const next = bumpFragment?.groups?.to ?? (updateFragment?.groups?.to ?? '')
+    const dependencyGroup = groupName?.groups?.name ?? ''
 
     if (data['updated-dependencies']) {
       return await Promise.all(data['updated-dependencies'].map(async (dependency, index) => {
@@ -61,6 +64,7 @@
           newVersion: nextVersion,
           compatScore: await scoreFn(dependency['dependency-name'], lastVersion, nextVersion, chunks[1]),
           maintainerChanges: newMaintainer,
+          dependencyGroup: dependencyGroup,
           ...await lookupFn(dependency['dependency-name'], lastVersion, dirname)
         }
       }))