Support getting package versions from other files

[suzuki-shunsuke]

Feature Overview

Similar to #2632 .

• feat: add an option go_version_file #2632

Support getting package versions from other files.

• .terraform-version, .nvmrc, .node-version
• Get a version from JSON, YAML, TOML using JSONPath or something

Why is the feature needed?

To share the version definition with other tools.
To make DRY.

Workaround

No response

Example Code

- name: hashicorp/terraform
  version: file(".terraform-version")

Note

• Support .terraform-version for Terraform #3182
• Support .node-version for Node.js #3183

[suzuki-shunsuke]

expr

version_expr: |
  readJSON("foo.json").version

version_expr: |
  readYAML("foo.yaml").version

version_expr: |
  "v" + readFile(".terraform-version")

[suzuki-shunsuke]

⚠️ Security Concern

Malicious users may be able to expose secrets via log by reading secret files via version_expr.

e.g.

version_expr: readFile("/home/foo/.aws/credentials")

[suzuki-shunsuke]

Solution

Restrict the value of version_expr to semver.
This prevents secrets from being exposed.

https://pkg.go.dev/github.com/hashicorp/go-version#NewSemver

We can complement a prefix such as cli- by version_expr_prefix.

[suzuki-shunsuke]

template

version_template: |
  {{(readJSON "foo.json").version}}

version_template: |
  {{(readYAML "foo.yaml").version}}'

version_template: |
  v{{readFile ".terraform-version"}}

[suzuki-shunsuke]

I'm wondering if this feature is really necessary.

Why is the feature needed?
To share the version definition with other tools.
To make DRY.

This makes sense, but actually I don't have strong motivation.

[suzuki-shunsuke]

semver's pre-release can include secrets, so we need to restrict the pattern of pre-release.

1.0
1.0.0
1.0.0-alpha
1.0.0-rc.1

^v?\d+\.\d+(\.\d+)*[.-]?((alpha|beta|dev|rc)[.-]?)?\d*