GitHub Actions - full patch versions are bumped to minimal new major versions

[adamralph]

Package ecosystem GitHub Actions Package manager version n/a Language version n/a Manifest location and content prior to update https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/workflows/ci.yml#L28 dependabot.yml content https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/dependabot.yml Updated dependency actions/setup-dotnet, from 1.9.1 to 2 What you expected to see, versus what you actually saw I expected to see the dependency update from 1.9.1 to 2.0.0. The convention with GitHub Actions is to continually move tags like 1 and 2 to match the latest patch version, e.g. 1.9.1, 2.3.4 etc. I am deliberately not using tags like 1 and 2. I am using the full patch version, e.g. 1.9.1 for better build reproducibility. If the current version is a full version, e.g. 1.9.1 then dependabot should not update that version to 2. It should update it to 2.0.0. Native package manager behavior n/a Images of the diff or a link to the PR, issue or logs 🕹 Bonus points: Smallest manifest that reproduces the issue

[xt0rted]

This looks like an inconsistent regression. My actions/setup-dotnet PRs all came in going from v1.9.1 to v2, while my actions/setup-node PRs came in for v2.5.1 to v3.0.0 and v2.5.1 to v3.

[adamralph]

Yes, actually another PR in another one of my repos was raised correctly. It bumped actions/setup-dotnet from v1.9.1 to v2.0.0.

[xt0rted]

Just had a bunch more of these types of PRs opened. Wish there was a way to force dependabot to recreate them using the full version number.

Here's the relevant logs for the above PRs incase they help at all.

updater | INFO <job_299996410> Checking if actions/setup-node 2.5.1 needs updating
  proxy | 2022/02/25 12:07:24 [030] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
  proxy | 2022/02/25 12:07:24 [030] * authenticating git server request (host: github.com)
  proxy | 2022/02/25 12:07:24 [030] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
updater | INFO <job_299996410> Latest version is 3
updater | INFO <job_299996410> Requirements to unlock own
updater | INFO <job_299996410> Requirements update strategy 
updater | INFO <job_299996410> Updating actions/setup-node from 2.5.1 to 3
  proxy | 2022/02/25 12:07:24 [032] GET https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
  proxy | 2022/02/25 12:07:24 [032] * authenticating github api request
  proxy | 2022/02/25 12:07:24 [032] 200 https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
  proxy | 2022/02/25 12:07:24 [034] GET https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
  proxy | 2022/02/25 12:07:24 [034] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [034] 200 https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
  proxy | 2022/02/25 12:07:25 [036] GET https://api.github.com:443/repos/actions/setup-node/contents/
  proxy | 2022/02/25 12:07:25 [036] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [036] 200 https://api.github.com:443/repos/actions/setup-node/contents/
  proxy | 2022/02/25 12:07:25 [038] GET https://api.github.com:443/repos/actions/setup-node/contents/docs
  proxy | 2022/02/25 12:07:25 [038] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [038] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs
  proxy | 2022/02/25 12:07:25 [040] GET https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3
  proxy | 2022/02/25 12:07:25 [040] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [040] 200 https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3
  proxy | 2022/02/25 12:07:25 [042] GET https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3
  proxy | 2022/02/25 12:07:25 [042] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [042] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3
  proxy | 2022/02/25 12:07:25 [044] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:25 [044] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [044] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:25 [046] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
  proxy | 2022/02/25 12:07:25 [046] * authenticating github api request
  proxy | 2022/02/25 12:07:25 [046] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
  proxy | 2022/02/25 12:07:25 [048] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:25 [048] * authenticating github api request
  proxy | 2022/02/25 12:07:26 [048] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:26 [050] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
  proxy | 2022/02/25 12:07:26 [050] * authenticating github api request
  proxy | 2022/02/25 12:07:26 [050] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
  proxy | 2022/02/25 12:07:26 [052] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:26 [052] * authenticating github api request
  proxy | 2022/02/25 12:07:26 [052] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 12:07:26 [054] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
  proxy | 2022/02/25 12:07:26 [054] * authenticating github api request
  proxy | 2022/02/25 12:07:26 [054] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3
updater | INFO <job_299996410> Submitting actions/setup-node pull request for creation

...

updater | INFO <job_299996410> Checking if actions/setup-dotnet 1.9.1 needs updating
  proxy | 2022/02/25 12:07:27 [068] GET https://github.com:443/actions/setup-dotnet.git/info/refs?service=git-upload-pack
  proxy | 2022/02/25 12:07:27 [068] * authenticating git server request (host: github.com)
  proxy | 2022/02/25 12:07:27 [068] 200 https://github.com:443/actions/setup-dotnet.git/info/refs?service=git-upload-pack
updater | INFO <job_299996410> Latest version is 2
updater | INFO <job_299996410> Requirements to unlock own
updater | INFO <job_299996410> Requirements update strategy 
updater | INFO <job_299996410> Updating actions/setup-dotnet from 1.9.1 to 2
  proxy | 2022/02/25 12:07:27 [070] GET https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
  proxy | 2022/02/25 12:07:27 [070] * authenticating github api request
  proxy | 2022/02/25 12:07:27 [070] 200 https://api.github.com:443/repos/xt0rted/tailwindcss-tag-helpers/commits?per_page=100
  proxy | 2022/02/25 12:07:28 [072] GET https://api.github.com:443/repos/actions/setup-dotnet/releases?per_page=100
  proxy | 2022/02/25 12:07:28 [072] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [072] 200 https://api.github.com:443/repos/actions/setup-dotnet/releases?per_page=100
  proxy | 2022/02/25 12:07:28 [074] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/
  proxy | 2022/02/25 12:07:28 [074] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [074] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/
  proxy | 2022/02/25 12:07:28 [076] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/docs
  proxy | 2022/02/25 12:07:28 [076] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [076] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/docs
  proxy | 2022/02/25 12:07:28 [078] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/?ref=v2
  proxy | 2022/02/25 12:07:28 [078] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [078] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/?ref=v2
  proxy | 2022/02/25 12:07:28 [080] GET https://api.github.com:443/repos/actions/setup-dotnet/contents/docs?ref=v2
  proxy | 2022/02/25 12:07:28 [080] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [080] 200 https://api.github.com:443/repos/actions/setup-dotnet/contents/docs?ref=v2
  proxy | 2022/02/25 12:07:28 [082] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:28 [082] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [082] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:28 [084] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
  proxy | 2022/02/25 12:07:28 [084] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [084] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
  proxy | 2022/02/25 12:07:28 [086] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:28 [086] * authenticating github api request
  proxy | 2022/02/25 12:07:28 [086] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:29 [088] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
  proxy | 2022/02/25 12:07:29 [088] * authenticating github api request
  proxy | 2022/02/25 12:07:29 [088] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
  proxy | 2022/02/25 12:07:29 [090] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:29 [090] * authenticating github api request
  proxy | 2022/02/25 12:07:29 [090] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v1.9.1
  proxy | 2022/02/25 12:07:29 [092] GET https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
  proxy | 2022/02/25 12:07:29 [092] * authenticating github api request
  proxy | 2022/02/25 12:07:29 [092] 200 https://api.github.com:443/repos/actions/setup-dotnet/commits?sha=v2
updater | INFO <job_299996410> Submitting actions/setup-dotnet pull request for creation
updater | INFO <job_299996410> Finished job processing
updater | INFO Results:
updater | +---------+------------------------------------------+
updater | |        Changes to Dependabot Pull Requests         |
updater | +---------+------------------------------------------+
updater | | created | actions/setup-node ( from 2.5.1 to 3 )   |
updater | | created | actions/setup-dotnet ( from 1.9.1 to 2 ) |
updater | +---------+------------------------------------------+
updater | time="2022-02-25T12:07:30Z" level=info msg="task complete" container_id=job-299996410-updater exit_code=0 job_id=299996410 step=updater

updater | INFO <job_299864396> Checking if actions/setup-node 2.5.1 needs updating
  proxy | 2022/02/25 06:06:13 [018] GET https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
  proxy | 2022/02/25 06:06:13 [018] * authenticating git server request (host: github.com)
  proxy | 2022/02/25 06:06:13 [018] 200 https://github.com:443/actions/setup-node.git/info/refs?service=git-upload-pack
updater | INFO <job_299864396> Latest version is 3.0.0
updater | INFO <job_299864396> Requirements to unlock own
updater | INFO <job_299864396> Requirements update strategy 
updater | INFO <job_299864396> Updating actions/setup-node from 2.5.1 to 3.0.0
  proxy | 2022/02/25 06:06:13 [020] GET https://api.github.com:443/repos/xt0rted/markdownlint-problem-matcher/commits?per_page=100
  proxy | 2022/02/25 06:06:13 [020] * authenticating github api request
  proxy | 2022/02/25 06:06:14 [020] 200 https://api.github.com:443/repos/xt0rted/markdownlint-problem-matcher/commits?per_page=100
  proxy | 2022/02/25 06:06:14 [022] GET https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
  proxy | 2022/02/25 06:06:14 [022] * authenticating github api request
  proxy | 2022/02/25 06:06:14 [022] 200 https://api.github.com:443/repos/actions/setup-node/releases?per_page=100
  proxy | 2022/02/25 06:06:14 [024] GET https://api.github.com:443/repos/actions/setup-node/contents/
  proxy | 2022/02/25 06:06:14 [024] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [024] 200 https://api.github.com:443/repos/actions/setup-node/contents/
  proxy | 2022/02/25 06:06:15 [026] GET https://api.github.com:443/repos/actions/setup-node/contents/docs
  proxy | 2022/02/25 06:06:15 [026] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [026] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs
  proxy | 2022/02/25 06:06:15 [028] GET https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3.0.0
  proxy | 2022/02/25 06:06:15 [028] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [028] 200 https://api.github.com:443/repos/actions/setup-node/contents/?ref=v3.0.0
  proxy | 2022/02/25 06:06:15 [030] GET https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3.0.0
  proxy | 2022/02/25 06:06:15 [030] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [030] 200 https://api.github.com:443/repos/actions/setup-node/contents/docs?ref=v3.0.0
  proxy | 2022/02/25 06:06:15 [032] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:15 [032] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [032] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:15 [034] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
  proxy | 2022/02/25 06:06:15 [034] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [034] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
  proxy | 2022/02/25 06:06:15 [036] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:15 [036] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [036] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:15 [038] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
  proxy | 2022/02/25 06:06:15 [038] * authenticating github api request
  proxy | 2022/02/25 06:06:15 [038] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
  proxy | 2022/02/25 06:06:15 [040] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:15 [040] * authenticating github api request
  proxy | 2022/02/25 06:06:16 [040] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v2.5.1
  proxy | 2022/02/25 06:06:16 [042] GET https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
  proxy | 2022/02/25 06:06:16 [042] * authenticating github api request
  proxy | 2022/02/25 06:06:16 [042] 200 https://api.github.com:443/repos/actions/setup-node/commits?sha=v3.0.0
updater | INFO <job_299864396> Submitting actions/setup-node pull request for creation

...

updater | INFO Results:
updater | +---------+--------------------------------------------+
updater | |         Changes to Dependabot Pull Requests          |
updater | +---------+--------------------------------------------+
updater | | created | actions/setup-node ( from 2.5.1 to 3.0.0 ) |
updater | +---------+--------------------------------------------+
updater | time="2022-02-25T06:06:17Z" level=info msg="task complete" container_id=job-299864396-updater exit_code=0 job_id=299864396 step=updater

[adamralph]

I was wondering if this may have been caused by actions/setup-dotnet being tagged incorrectly, but I received another flawed PR this morning from 1.9.1 to 2 and the tags look fine:

[bewuethr]

My suspicion is that, since a tag like v3 is probably more recent than v3.0.0 (example: actions/checkout v3 created 2022-03-01 12:49 GMT-5, v3.0.0 created 2022-03-01 12:46 GMT-5), dependabot uses v3 instead of v3.0.0 because it's more recent.

[bewuethr]

Added to a discussion at github/feedback#12303

[xt0rted]

Just had a PR that updated from v2.4.0 to v3 as well as v3.0.0 to v3. Having to manually update 120+ PRs so far has been extremely tiring.

https://github.com/xt0rted/tailwindcss-tag-helpers/pull/106/commits/f9cfabb140d9535f39fb559776de939aa230dbc4#diff-63bd641104d10e25f141d518a16b22a151d125e12701df2f9e79734b23b90188

[cicirello]

I just had a couple of these for version of a GitHub action going from full v3.14.0 to just v4 rather than v4.0.0. But in a PR for a maven dependency in another repo it did the right thing from a version 1.2.0 to 2.0.0.

[adamralph]

Was this fixed in https://github.com/dependabot/dependabot-core/pull/4953?

[xt0rted]

Today I got a PR going from v2.1.0 to v3.0.0 (there's a v3 tag for the action) so this worked as expected in this scenario. https://github.com/xt0rted/slash-command-action/pull/505

Looks like I have a couple PRs in private repos that are also working as expected now:

• Bump actions/upload-artifact from 2.3.1 to 3.0.0
• Bump actions/download-artifact from 2.1.0 to 3.0.0
• Bump actions/checkout from 2.4.0 to 3.0.0

[bewuethr]

I also had all my PRs today using the correct level of precision.

[jurre]

Yes, this should have been resolved by @mctofu in https://github.com/dependabot/dependabot-core/pull/4953, so I'm going to close it out for now, please let us know if you run into things

[mctofu]

Just wanted to add that if you are currently pinning to a patch version of an action you might also consider pinning to the full sha instead. You'll still get a Dependabot PR for each patch version bump (updating to the latest release sha) and have better immutability guarantees (https://docs.github.com/en/github-ae@latest/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). I don't think that sha updates were affected by this bug.

[adamralph]

@mctofu oh, thank you, that is good to know! Initially, I used shas everywhere, but I switched to using patch versions because I found it too cumbersome to work with the shas manually. But if dependabot takes care of shas for me, I'll probably switch back.