Adding GroupDependencySelector filter to group pull request

Author: robaiken

updater/lib/dependabot/updater/operations/create_group_update_pull_request.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/updater/group_update_creation"
+require "dependabot/updater/group_dependency_selector"
 require "sorbet-runtime"
 
 # This class implements our strategy for creating a single Pull Request which
@@ -123,6 +124,17 @@ def dependency_change
             dependency_change.merge_changes!(T.must(dependency_changes[1..-1])) if dependency_changes.count > 1
             @dependency_change = T.let(dependency_change, T.nilable(Dependabot::DependencyChange))
           end
+
+          # Apply GroupDependencySelector filtering to ensure only group-eligible dependencies
+          if @dependency_change
+            selector = Dependabot::Updater::GroupDependencySelector.new(
+              group: group,
+              dependency_snapshot: dependency_snapshot
+            )
+            selector.filter_to_group!(@dependency_change)
+          end
+
+          @dependency_change
         end
 
         sig { void }

updater/spec/dependabot/updater/operations/create_group_update_pull_request_spec.rb

@@ -10,6 +10,7 @@
 require "dependabot/service"
 require "dependabot/updater/error_handler"
 require "dependabot/updater/operations/create_group_update_pull_request"
+require "dependabot/updater/group_dependency_selector"
 require "dependabot/dependency_change_builder"
 require "dependabot/notices"
 
@@ -173,6 +174,108 @@
           create_group_update_pull_request.perform
         end
       end
+
+      context "when GroupDependencySelector filtering is enabled" do
+        let(:dependency_b) do
+          Dependabot::Dependency.new(
+            name: "dummy-pkg-b",
+            version: "1.0.0",
+            requirements: [{
+              file: "Gemfile",
+              requirement: "~> 1.0.0",
+              groups: ["default"],
+              source: nil
+            }],
+            package_manager: "bundler",
+            metadata: { all_versions: ["1.0.0"] }
+          )
+        end
+
+        let(:dependency_group) do
+          Dependabot::DependencyGroup.new(
+            name: "dummy-group",
+            rules: { "patterns" => ["dummy-pkg-a"] }
+          )
+        end
+
+        let(:stub_dependency_change_with_multiple_deps) do
+          Dependabot::DependencyChange.new(
+            job: job,
+            updated_dependencies: [dependency, dependency_b],
+            updated_dependency_files: []
+          )
+        end
+
+        before do
+          Dependabot::Experiments.register(:group_membership_enforcement, true)
+          # Mock the job to allow all updates for simplicity
+          allow(job).to receive(:allowed_update?).and_return(true)
+        end
+
+        it "filters out dependencies not in the group" do
+          # Override the dependency change builder to return our test change
+          allow(create_group_update_pull_request).to receive(:compile_all_dependency_changes_for)
+            .with(dependency_group)
+            .and_return(stub_dependency_change_with_multiple_deps)
+
+          result = create_group_update_pull_request.send(:dependency_change)
+
+          # Only dummy-pkg-a should remain after filtering (dummy-pkg-b should be filtered out)
+          expect(result.updated_dependencies.map(&:name)).to eq(["dummy-pkg-a"])
+        end
+
+        it "does not filter when group_membership_enforcement is disabled" do
+          Dependabot::Experiments.register(:group_membership_enforcement, false)
+
+          # Override the dependency change builder to return our test change
+          allow(create_group_update_pull_request).to receive(:compile_all_dependency_changes_for)
+            .with(dependency_group)
+            .and_return(stub_dependency_change_with_multiple_deps)
+
+          result = create_group_update_pull_request.send(:dependency_change)
+
+          # Both dependencies should remain when filtering is disabled
+          expect(result.updated_dependencies.map(&:name)).to contain_exactly("dummy-pkg-a", "dummy-pkg-b")
+        end
+
+        it "handles empty dependency changes gracefully" do
+          empty_change = Dependabot::DependencyChange.new(
+            job: job,
+            updated_dependencies: [],
+            updated_dependency_files: []
+          )
+
+          allow(create_group_update_pull_request).to receive(:compile_all_dependency_changes_for)
+            .with(dependency_group)
+            .and_return(empty_change)
+
+          result = create_group_update_pull_request.send(:dependency_change)
+
+          expect(result.updated_dependencies).to be_empty
+        end
+
+        it "preserves dependency files during filtering" do
+          dependency_file = instance_double(
+            Dependabot::DependencyFile,
+            name: "Gemfile.lock",
+            directory: "."
+          )
+          change_with_files = Dependabot::DependencyChange.new(
+            job: job,
+            updated_dependencies: [dependency, dependency_b],
+            updated_dependency_files: [dependency_file]
+          )
+
+          allow(create_group_update_pull_request).to receive(:compile_all_dependency_changes_for)
+            .with(dependency_group)
+            .and_return(change_with_files)
+
+          result = create_group_update_pull_request.send(:dependency_change)
+
+          # Files should be preserved even after dependency filtering
+          expect(result.updated_dependency_files).to eq([dependency_file])
+        end
+      end
     end
   end
 end