search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.59k stars 972 forks source link

Docker ecosystem fails on "unparsable" file with no way to skip it #10095

Open ashb opened 2 months ago

ashb commented 2 months ago

Is there an existing issue for this?

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

apps/myapp/test-deployment.yaml:

# a simple deployment we can use for testing in a Kubernetes Collector
apiVersion: v1
kind: Namespace
metadata:
  name: test-namespace
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  namespace: test-namespace
  labels:
    app: test-deployment
spec:
  replicas: 5
  selector:
    matchLabels:
      app: test-deployment
  template:
    metadata:
      labels:
        app: test-deployment

    spec:
      containers:
      - name: test-deployment
        image: nginx

There was also a Dockerfile alongside this, the contents of which don't matter, but for the sake of argument lets say it is as simple as:

apps/myapp/Dockerfile:

FROM golang:1.21.11@sha256:2eb85b8942c29145b4a5bed2d0f3dc1a3ba2f823aec74afe16751da108a585e1 as build
WORKDIR /workspace

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "docker"
    directory: "/apps/myapp"

Updated dependency

In dockerfile from sha256:2eb85b8942c29145b4a5bed2d0f3dc1a3ba2f823aec74afe16751da108a585e1 to sha256:b405b620c7b53ef64695c7da7c8396f411f381c1eb7da6713c585dd7eca1559b

What you expected to see, versus what you actually saw

I would expect the Dockerfile to be updated as, even if other files have errors.

Additionally: I don't actually want that test-deployment.yaml to be updated, but since its in the same folder there is now way to tell it to ignore it.

This is in some ways similar to https://github.com/dependabot/dependabot-core/issues/6067, but I would like the ability to either specify the exact/specific files to match, or to be able to exclude certain files from being updated. Somewhat similar to the .dpignore idea mentioned in https://github.com/dependabot/dependabot-core/issues/4364#issuecomment-1889833180

Also related to https://github.com/dependabot/dependabot-core/issues/2883 (and that would fix it for me if I could tell it to manually skip a file) -- but I don't think a failure to parse one file should stop the whole ecosystem.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

ashb commented 2 months ago

(Auto guessed labels are wrong, L: docker is the only one that should be applied)

ashb commented 2 months ago

cc @carogalvin

ashb commented 2 months ago

And this specific case I suspect the YAML parser does not like the fact that there are two docs in the single file (a pattern that in my experience at least is relatively common) separated by ---

jeffwidman commented 2 months ago

Thanks for the heads up @ashb , I fixed the labels.

@carogalvin is awesome, and she's still at GitHub, but she's moved to product managing a different team/product, so no longer a relevant person to tag for this kind of stuff.