`updates.registries: "*"` incorrectly reported as invalid

SvenStaehs commented 10 months ago

Issue

false positive:

keyword message dataPath

type should be array .updates[0].registries

type should be array .updates[1].registries

keyword	message	dataPath
type	should be array	.updates[0].registries
type	should be array	.updates[1].registries

Cause

According to the new schema introduced with #648, the "registries" property of "update" section should be an array:

        "registries": {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 1
          },
          "uniqueItems": true,
          "minItems": 1
        },

But Dependabot also accepts a string value of "*" with the special meaning "allow access to all private registries" (the default is to refuse access). From the docs:

You can allow all of the defined registries to be used by setting registries to "*"

There is an example usage as well:

updates:
  - package-ecosystem: "bundler"
    directory: "/rubygems-server"
    insecure-external-code-execution: allow
    registries: "*"

If "*" is given as an array element Dependabot takes this to mean "registry with the name '*'" and fails.

Workaround:

explicitly state all registries by name, this has several drawbacks
stay at version 2.1.0 😉

Solution:

Schema needs fixing so it correctly states that it can be an array or the string "*", but I have no idea who maintains those schema files (and whether that's even possible?)

SvenStaehs commented 10 months ago

hm, I did find the commit that introduced this incomplete entry in the schema file. Maybe I can find the time to propose a PR, if I can find out how to write can be an array of strings or the single string "*" 😬

SvenStaehs commented 10 months ago

schema is fixed, validator works without this false positive now 👍

marocchino / validate-dependabot