search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.75k stars 1.03k forks source link

Don't respond with `I won't notify you again about this release` when resolved by another PR #6161

Open jsoref opened 2 years ago

jsoref commented 2 years ago

Is there an existing issue for this?

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

.github/workflows/x.yml:

on:
  push:
jobs:
  x:
    steps:
      - uses: 'google-github-actions/auth@v0'
        with:
          credentials_json: '${{ secrets.GCR_JSON_KEY }}'

dependabot.yml content

version: 2
updates:
- package-ecosystem: github-actions
  directory: "/"

Updated dependency

-        uses: 'google-github-actions/auth@v0'
+        uses: 'google-github-actions/auth@v1'

What you expected to see, versus what you actually saw

Another user created a PR which subsumed this PR.

It included the same change. Their PR included a closes #... notation.

When they created the PR, a

user mentioned this pull request ... Entry was added.

When they merged the PR, a

user closed this in pr... Entry was added.

Dependabot responded by saying:

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

It should have checked to see if the goal it was trying to achieve was still relevant, if the dependency was either updated to match (or surpass) its goal, or was removed entirely, it should have provided some other message acknowledging that its services were no longer needed, but not suggesting that it be told to ignore things for this.

Native package manager behavior

A human would not say "oh, you could tell me not to pay attention to this anymore", that's what the closes and closed in merged PR notations tell humans.

Images of the diff or a link to the PR, issue, or logs

image

Smallest manifest that reproduces the issue

No response

deivid-rodriguez commented 2 years ago

Agreed, we should detect if possible whether the close event that triggered this comment was generated by a "Fixes #" comment in another PR, and skip this comment in that case.

rdb commented 1 month ago

Also affected by this. It gives this comment when I merge a dependabot PR with a non-fast-forward merge if I'm not using the merge button on GitHub. It's quite annoying and noisy. https://github.com/panda3d/panda3d/pull/1697

Dependabot could just load the new version and check if the version updates were applied, right?