support multi-directory update with no groups (#9148)

silent/tests/testdata/su-multidir.txt

@@ -0,0 +1,67 @@
+dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stdout -count=2 'create_pull_request'
+stderr -count=2 'created \| dependency-a \( from 1.2.3 to 1.2.4 \)'
+pr-created frontend/expected.json
+pr-created backend/expected.json
+
+# Testing multi-directory configuration without a group.
+# Since it's impossible to tell which directory dependency-a should be
+# updated in, it should update in all directories.
+
+-- frontend/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "1.2.3" }
+}
+
+-- backend/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" }
+}
+
+-- utilities/manifest.json --
+{
+  "unrelated": { "version": "1.0.0" }
+}
+
+-- frontend/expected.json --
+{
+  "dependency-a": { "version": "1.2.4" },
+  "dependency-b": { "version": "1.2.3" }
+}
+
+-- backend/expected.json --
+{
+  "dependency-a": { "version": "1.2.4" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.3",
+    "1.2.4",
+    "1.2.5"
+  ]
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+      - dependency-a
+  source:
+    directories:
+      - "/frontend"
+      - "/utilities"
+      - "/backend"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - < 1.2.4
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true

silent/tests/testdata/vu-multidir.txt

@@ -0,0 +1,66 @@
+dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr -count=2 'created \| dependency-a \( from 1.2.3 to 1.2.5 \)'
+stderr 'created \| dependency-b \( from 1.2.3 to 1.2.5 \)'
+pr-created frontend/expected-1.json
+pr-created frontend/expected-2.json
+pr-created backend/expected-3.json
+
+# Testing multi-directory configuration without a group.
+
+-- frontend/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "1.2.3" }
+}
+
+-- frontend/expected-1.json --
+{
+  "dependency-a": { "version": "1.2.5" },
+  "dependency-b": { "version": "1.2.3" }
+}
+
+-- frontend/expected-2.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "1.2.5" }
+}
+
+-- backend/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" }
+}
+
+-- backend/expected-3.json --
+{
+  "dependency-a": { "version": "1.2.5" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.3",
+    "1.2.4",
+    "1.2.5"
+  ]
+}
+
+-- dependency-b --
+{
+  "versions": [
+    "1.2.3",
+    "1.2.4",
+    "1.2.5"
+  ]
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  source:
+    directories:
+      - "/frontend"
+      - "/backend"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests

updater/lib/dependabot/updater/operations/group_update_all_versions.rb

@@ -20,12 +20,14 @@ module Operations
       class GroupUpdateAllVersions
         include GroupUpdateCreation
 
-        def self.applies_to?(job:)
+        def self.applies_to?(job:) # rubocop:disable Metrics/PerceivedComplexity
           return false if job.updating_a_pull_request?
           if Dependabot::Experiments.enabled?(:grouped_security_updates_disabled) && job.security_updates_only?
             return false
           end
 
+          return true if job.source.directories && job.source.directories.count > 1
+
           if job.security_updates_only?
             return true if job.dependencies.count > 1
             return true if job.dependency_groups&.any? { |group| group["applies-to"] == "security-updates" }

updater/lib/dependabot/updater/operations/refresh_group_update_pull_request.rb

@@ -36,6 +36,8 @@ def self.applies_to?(job:) # rubocop:disable Metrics/PerceivedComplexity
             return false
           end
 
+          return true if job.source.directories && job.source.directories.count > 1
+
           if job.security_updates_only?
             return true if job.dependencies.count > 1
             return true if job.dependency_groups&.any? { |group| group["applies-to"] == "security-updates" }

updater/spec/dependabot/updater/operations_spec.rb

@@ -16,7 +16,9 @@
       # We always expect jobs that update a pull request to specify their
       # existing dependency changes, a job with this set of conditions
       # should never exist.
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
+                            source: source,
                             security_updates_only?: false,
                             updating_a_pull_request?: true,
                             dependencies: [],
@@ -27,7 +29,7 @@
     end
 
     it "returns the UpdateAllVersions class when the Job is for a fresh, non-security update with no dependencies" do
-      source = instance_double(Dependabot::Source, directory: nil)
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: false,
@@ -40,8 +42,7 @@
     end
 
     it "returns the GroupUpdateAllVersions class when the Job is for a fresh, version update with no dependencies" do
-      source = instance_double(Dependabot::Source, directory: nil)
-
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: false,
@@ -56,8 +57,7 @@
     end
 
     it "returns the RefreshGroupUpdatePullRequest class when the Job is for an existing group update" do
-      source = instance_double(Dependabot::Source, directory: nil)
-
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: false,
@@ -74,7 +74,9 @@
     end
 
     it "returns the RefreshVersionUpdatePullRequest class when the Job is for an existing dependency version update" do
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
+                            source: source,
                             security_updates_only?: false,
                             updating_a_pull_request?: true,
                             dependencies: [anything],
@@ -87,22 +89,22 @@
     end
 
     it "returns the CreateSecurityUpdatePullRequest class when the Job is for a new security update for a dependency" do
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
+                            source: source,
                             dependency_group_to_refresh: nil,
                             security_updates_only?: true,
                             updating_a_pull_request?: false,
                             dependencies: [anything],
                             dependency_groups: [],
-                            source: Dependabot::Source.new(provider: "github", repo: "gocardless/bump"),
                             is_a?: true)
 
       expect(described_class.class_for(job: job))
         .to be(Dependabot::Updater::Operations::CreateSecurityUpdatePullRequest)
     end
 
     it "returns the GroupUpdateAllVersions class when Experiment flag is not provided" do
-      source = instance_double(Dependabot::Source, directory: nil)
-
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: true,
@@ -117,7 +119,7 @@
 
     it "returns the GroupUpdateAllVersions class when Experiment flag is off" do
       Dependabot::Experiments.register(:grouped_security_updates_disabled, false)
-      source = instance_double(Dependabot::Source, directory: nil)
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: true,
@@ -132,7 +134,9 @@
 
     it "returns the CreateSecurityUpdatePullRequest class when Experiment flag is true" do
       Dependabot::Experiments.register(:grouped_security_updates_disabled, true)
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
+                            source: source,
                             dependency_group_to_refresh: nil,
                             security_updates_only?: true,
                             updating_a_pull_request?: false,
@@ -146,7 +150,7 @@
 
     it "returns the RefreshGroupSecurityUpdatePullRequest class when the Job is for an existing security update for" \
        " multiple dependencies" do
-      source = instance_double(Dependabot::Source, directory: nil)
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
                             source: source,
                             security_updates_only?: true,
@@ -161,7 +165,9 @@
     end
 
     it "returns the RefreshSecurityUpdatePullRequest class when the Job is for an existing security update" do
+      source = instance_double(Dependabot::Source, directory: "/.", directories: nil)
       job = instance_double(Dependabot::Job,
+                            source: source,
                             dependency_group_to_refresh: nil,
                             security_updates_only?: true,
                             updating_a_pull_request?: true,