search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.63k stars 993 forks source link

bot does not bump all occurrences in GH actions #8647

Open Borda opened 9 months ago

Borda commented 9 months ago

Is there an existing issue for this?

Package ecosystem

github actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

.github/dependabot.yaml

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Found during bump artifact actions and reporting in https://github.com/actions/upload-artifact/issues/480 that, in fact, the problem is that dependabot did not bump all occurrences (in particular composite actions) of specific action as you can see that in https://github.com/Lightning-AI/utilities/pull/209 I had to bump download-artifact manually as it was missed in https://github.com/Lightning-AI/utilities/pull/208

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

carlincherry commented 4 months ago

Hi! Can you try using multi-directory support and grouping rules? That should work to update composite actions. cc @abdulapopoola

jokarl commented 3 months ago

Hi! Can you try using multi-directory support and grouping rules? That should work to update composite actions. cc @abdulapopoola

This solved my issue, but it is a lot of work getting this to work. We have many composite actions in a single repository, and we are forced to enumerate all of them in the directories array because wildcards aren't supported.

I thought that was enough, but simply adding all directories makes dependabot open a PR for the first outdated dependency it finds of a certain action. If you scan again, it simply says a PR already exists despite there being multiple instances left of that outdated dependency.

Adding groups as well as directories makes it more manageable, but to avoid overhead and missing dependencies we are forced to use * as a pattern because it is not reasonable to expect everyone to remember to update the pattern array of the dependabot file. This means, since we are always using major version tags for actions, that all major changes are in a single PR and requires rolling back all changes if something breaks, and then manually updating the dependencies one by one instead.

carlincherry commented 3 months ago

forced to enumerate all of them in the directories array because wildcards aren't supported

We have a private beta going for wildcard support! Would you like to join? We anticipate GAing wildcard support within the next few weeks as well.

Thank you for your feedback as well!

to avoid overhead and missing dependencies we are forced to use * as a pattern because it is not reasonable to expect everyone to remember to update the pattern array of the dependabot file.

is there a more specific but still generalizable pattern that might work for you than *? I hear you on the pain of rolling back all changes if something breaks, and then manually updating the dependencies one by one instead.