Closed adamralph closed 2 years ago
This looks like an inconsistent regression. My actions/setup-dotnet
PRs all came in going from v1.9.1
to v2
, while my actions/setup-node
PRs came in for v2.5.1
to v3.0.0
and v2.5.1
to v3
.
Yes, actually another PR in another one of my repos was raised correctly. It bumped actions/setup-dotnet
from v1.9.1
to v2.0.0
.
Just had a bunch more of these types of PRs opened. Wish there was a way to force dependabot to recreate them using the full version number.
Here's the relevant logs for the above PRs incase they help at all.
updater | INFO <job_299996410> Checking if actions/setup-node 2.5.1 needs updating
proxy | 2022/02/25 12:07:24 [030] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2022/02/25 12:07:24 [030] * authenticating git server request (host: github.com)
proxy | 2022/02/25 12:07:24 [030] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
updater | INFO <job_299996410> Latest version is 3
updater | INFO <job_299996410> Requirements to unlock own
updater | INFO <job_299996410> Requirements update strategy
updater | INFO <job_299996410> Updating actions/setup-node from 2.5.1 to 3
proxy | 2022/02/25 12:07:24 [032] GET https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
proxy | 2022/02/25 12:07:24 [032] * authenticating github api request
proxy | 2022/02/25 12:07:24 [032] 200 https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
proxy | 2022/02/25 12:07:24 [034] GET https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
proxy | 2022/02/25 12:07:24 [034] * authenticating github api request
proxy | 2022/02/25 12:07:25 [034] 200 https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
proxy | 2022/02/25 12:07:25 [036] GET https://api.github.com:443/repos/actions/setup-node/contents/
proxy | 2022/02/25 12:07:25 [036] * authenticating github api request
proxy | 2022/02/25 12:07:25 [036] 200 https://api.github.com:443/repos/actions/setup-node/contents/
proxy | 2022/02/25 12:07:25 [038] GET https://api.github.com:443/repos/actions/setup-node/contents/docs
proxy | 2022/02/25 12:07:25 [038] * authenticating github api request
proxy | 2022/02/25 12:07:25 [038] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs
proxy | 2022/02/25 12:07:25 [040] GET https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3
proxy | 2022/02/25 12:07:25 [040] * authenticating github api request
proxy | 2022/02/25 12:07:25 [040] 200 https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3
proxy | 2022/02/25 12:07:25 [042] GET https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3
proxy | 2022/02/25 12:07:25 [042] * authenticating github api request
proxy | 2022/02/25 12:07:25 [042] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3
proxy | 2022/02/25 12:07:25 [044] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:25 [044] * authenticating github api request
proxy | 2022/02/25 12:07:25 [044] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:25 [046] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
proxy | 2022/02/25 12:07:25 [046] * authenticating github api request
proxy | 2022/02/25 12:07:25 [046] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
proxy | 2022/02/25 12:07:25 [048] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:25 [048] * authenticating github api request
proxy | 2022/02/25 12:07:26 [048] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:26 [050] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
proxy | 2022/02/25 12:07:26 [050] * authenticating github api request
proxy | 2022/02/25 12:07:26 [050] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
proxy | 2022/02/25 12:07:26 [052] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:26 [052] * authenticating github api request
proxy | 2022/02/25 12:07:26 [052] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 12:07:26 [054] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
proxy | 2022/02/25 12:07:26 [054] * authenticating github api request
proxy | 2022/02/25 12:07:26 [054] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
updater | INFO <job_299996410> Submitting actions/setup-node pull request for creation
...
updater | INFO <job_299996410> Checking if actions/setup-dotnet 1.9.1 needs updating
proxy | 2022/02/25 12:07:27 [068] GET https://github.com:443/actions/setup-dotnet.git/info/refs?service=git-upload-pack
proxy | 2022/02/25 12:07:27 [068] * authenticating git server request (host: github.com)
proxy | 2022/02/25 12:07:27 [068] 200 https://github.com:443/actions/setup-dotnet.git/info/refs?service=git-upload-pack
updater | INFO <job_299996410> Latest version is 2
updater | INFO <job_299996410> Requirements to unlock own
updater | INFO <job_299996410> Requirements update strategy
updater | INFO <job_299996410> Updating actions/setup-dotnet from 1.9.1 to 2
proxy | 2022/02/25 12:07:27 [070] GET https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
proxy | 2022/02/25 12:07:27 [070] * authenticating github api request
proxy | 2022/02/25 12:07:27 [070] 200 https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
proxy | 2022/02/25 12:07:28 [072] GET https://api.github.com:443/repos/actions/setup-dotnet/releases?per_page=100
proxy | 2022/02/25 12:07:28 [072] * authenticating github api request
proxy | 2022/02/25 12:07:28 [072] 200 https://api.github.com:443/repos/actions/setup-dotnet/releases?per_page=100
proxy | 2022/02/25 12:07:28 [074] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/
proxy | 2022/02/25 12:07:28 [074] * authenticating github api request
proxy | 2022/02/25 12:07:28 [074] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/
proxy | 2022/02/25 12:07:28 [076] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/docs
proxy | 2022/02/25 12:07:28 [076] * authenticating github api request
proxy | 2022/02/25 12:07:28 [076] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/docs
proxy | 2022/02/25 12:07:28 [078] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/?ref=v2
proxy | 2022/02/25 12:07:28 [078] * authenticating github api request
proxy | 2022/02/25 12:07:28 [078] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/?ref=v2
proxy | 2022/02/25 12:07:28 [080] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/docs?ref=v2
proxy | 2022/02/25 12:07:28 [080] * authenticating github api request
proxy | 2022/02/25 12:07:28 [080] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/docs?ref=v2
proxy | 2022/02/25 12:07:28 [082] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:28 [082] * authenticating github api request
proxy | 2022/02/25 12:07:28 [082] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:28 [084] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
proxy | 2022/02/25 12:07:28 [084] * authenticating github api request
proxy | 2022/02/25 12:07:28 [084] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
proxy | 2022/02/25 12:07:28 [086] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:28 [086] * authenticating github api request
proxy | 2022/02/25 12:07:28 [086] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:29 [088] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
proxy | 2022/02/25 12:07:29 [088] * authenticating github api request
proxy | 2022/02/25 12:07:29 [088] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
proxy | 2022/02/25 12:07:29 [090] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:29 [090] * authenticating github api request
proxy | 2022/02/25 12:07:29 [090] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
proxy | 2022/02/25 12:07:29 [092] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
proxy | 2022/02/25 12:07:29 [092] * authenticating github api request
proxy | 2022/02/25 12:07:29 [092] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
updater | INFO <job_299996410> Submitting actions/setup-dotnet pull request for creation
updater | INFO <job_299996410> Finished job processing
updater | INFO Results:
updater | +---------+------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+------------------------------------------+
updater | | created | actions/setup-node ( from 2.5.1 to 3 ) |
updater | | created | actions/setup-dotnet ( from 1.9.1 to 2 ) |
updater | +---------+------------------------------------------+
updater | time="2022-02-25T12:07:30Z" level=info msg="task complete" container_id=job-299996410-updater exit_code=0 job_id=299996410 step=updater
updater | INFO <job_299864396> Checking if actions/setup-node 2.5.1 needs updating
proxy | 2022/02/25 06:06:13 [018] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
proxy | 2022/02/25 06:06:13 [018] * authenticating git server request (host: github.com)
proxy | 2022/02/25 06:06:13 [018] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
updater | INFO <job_299864396> Latest version is 3.0.0
updater | INFO <job_299864396> Requirements to unlock own
updater | INFO <job_299864396> Requirements update strategy
updater | INFO <job_299864396> Updating actions/setup-node from 2.5.1 to 3.0.0
proxy | 2022/02/25 06:06:13 [020] GET https://api.github.com:443/repos/xt0rted/markdownlint-problem-matcher/commits?per_page=100
proxy | 2022/02/25 06:06:13 [020] * authenticating github api request
proxy | 2022/02/25 06:06:14 [020] 200 https://api.github.com:443/repos/xt0rted/markdownlint-problem-matcher/commits?per_page=100
proxy | 2022/02/25 06:06:14 [022] GET https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
proxy | 2022/02/25 06:06:14 [022] * authenticating github api request
proxy | 2022/02/25 06:06:14 [022] 200 https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
proxy | 2022/02/25 06:06:14 [024] GET https://api.github.com:443/repos/actions/setup-node/contents/
proxy | 2022/02/25 06:06:14 [024] * authenticating github api request
proxy | 2022/02/25 06:06:15 [024] 200 https://api.github.com:443/repos/actions/setup-node/contents/
proxy | 2022/02/25 06:06:15 [026] GET https://api.github.com:443/repos/actions/setup-node/contents/docs
proxy | 2022/02/25 06:06:15 [026] * authenticating github api request
proxy | 2022/02/25 06:06:15 [026] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs
proxy | 2022/02/25 06:06:15 [028] GET https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3.0.0
proxy | 2022/02/25 06:06:15 [028] * authenticating github api request
proxy | 2022/02/25 06:06:15 [028] 200 https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3.0.0
proxy | 2022/02/25 06:06:15 [030] GET https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3.0.0
proxy | 2022/02/25 06:06:15 [030] * authenticating github api request
proxy | 2022/02/25 06:06:15 [030] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3.0.0
proxy | 2022/02/25 06:06:15 [032] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:15 [032] * authenticating github api request
proxy | 2022/02/25 06:06:15 [032] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:15 [034] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
proxy | 2022/02/25 06:06:15 [034] * authenticating github api request
proxy | 2022/02/25 06:06:15 [034] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
proxy | 2022/02/25 06:06:15 [036] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:15 [036] * authenticating github api request
proxy | 2022/02/25 06:06:15 [036] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:15 [038] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
proxy | 2022/02/25 06:06:15 [038] * authenticating github api request
proxy | 2022/02/25 06:06:15 [038] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
proxy | 2022/02/25 06:06:15 [040] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:15 [040] * authenticating github api request
proxy | 2022/02/25 06:06:16 [040] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
proxy | 2022/02/25 06:06:16 [042] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
proxy | 2022/02/25 06:06:16 [042] * authenticating github api request
proxy | 2022/02/25 06:06:16 [042] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
updater | INFO <job_299864396> Submitting actions/setup-node pull request for creation
...
updater | INFO Results:
updater | +---------+--------------------------------------------+
updater | | Changes to Dependabot Pull Requests |
updater | +---------+--------------------------------------------+
updater | | created | actions/setup-node ( from 2.5.1 to 3.0.0 ) |
updater | +---------+--------------------------------------------+
updater | time="2022-02-25T06:06:17Z" level=info msg="task complete" container_id=job-299864396-updater exit_code=0 job_id=299864396 step=updater
I was wondering if this may have been caused by actions/setup-dotnet
being tagged incorrectly, but I received another flawed PR this morning from 1.9.1
to 2
and the tags look fine:
My suspicion is that, since a tag like v3 is probably more recent than v3.0.0 (example: actions/checkout v3 created 2022-03-01 12:49 GMT-5, v3.0.0 created 2022-03-01 12:46 GMT-5), dependabot uses v3 instead of v3.0.0 because it's more recent.
Added to a discussion at github/feedback#12303
Just had a PR that updated from v2.4.0
to v3
as well as v3.0.0
to v3
. Having to manually update 120+ PRs so far has been extremely tiring.
I just had a couple of these for version of a GitHub action going from full v3.14.0 to just v4 rather than v4.0.0. But in a PR for a maven dependency in another repo it did the right thing from a version 1.2.0 to 2.0.0.
Was this fixed in https://github.com/dependabot/dependabot-core/pull/4953?
Today I got a PR going from v2.1.0 to v3.0.0 (there's a v3 tag for the action) so this worked as expected in this scenario. https://github.com/xt0rted/slash-command-action/pull/505
Looks like I have a couple PRs in private repos that are also working as expected now:
I also had all my PRs today using the correct level of precision.
Yes, this should have been resolved by @mctofu in https://github.com/dependabot/dependabot-core/pull/4953, so I'm going to close it out for now, please let us know if you run into things
Just wanted to add that if you are currently pinning to a patch version of an action you might also consider pinning to the full sha instead. You'll still get a Dependabot PR for each patch version bump (updating to the latest release sha) and have better immutability guarantees (https://docs.github.com/en/github-ae@latest/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). I don't think that sha updates were affected by this bug.
@mctofu oh, thank you, that is good to know! Initially, I used shas everywhere, but I switched to using patch versions because I found it too cumbersome to work with the shas manually. But if dependabot takes care of shas for me, I'll probably switch back.
Package ecosystem GitHub Actions Package manager version n/a Language version n/a Manifest location and content prior to update https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/workflows/ci.yml#L28 dependabot.yml content https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/dependabot.yml Updated dependency actions/setup-dotnet, from
1.9.1
to2
What you expected to see, versus what you actually saw I expected to see the dependency update from1.9.1
to2.0.0
. The convention with GitHub Actions is to continually move tags like1
and2
to match the latest patch version, e.g.1.9.1
,2.3.4
etc. I am deliberately not using tags like1
and2
. I am using the full patch version, e.g.1.9.1
for better build reproducibility. If the current version is a full version, e.g.1.9.1
then dependabot should not update that version to2
. It should update it to2.0.0
. Native package manager behavior n/a Images of the diff or a link to the PR, issue or logs 🕹 Bonus points: Smallest manifest that reproduces the issue