search

github / evergreen

GitHub Action to enable automated security updates and open a issue/PR in repos in an org that have dependency files but no dependabot.yaml file
https://github.blog/2024-01-25-do-you-know-if-all-your-repositories-have-up-to-date-dependencies/
MIT License
186 stars 17 forks source link

Unable to Pin Specific Minor Version of Evergreen Action in GitHub Workflow #221

Open gbrindisi opened 2 months ago

gbrindisi commented 2 months ago

Describe the bug

There seems to be an inconsistency in how GitHub Actions is handling the use of specific minor versions of the Evergreen action. When specifying a minor version (e.g., github/evergreen@v1.12.0), the workflow appears to still pull the latest major version (v1), ignoring the specified minor version.

From @zkoppert :

oh darn. This might be because when you specify the action at v1.12.0 it goes to the code at that point and determines which package to pull. See here the v1.12.0 of the code that specifies the package: https://github.com/github/evergreen/blob/v1.12.0/action.yml#L7

To Reproduce

- id: run-evergreen
  name: Run evergreen action
  uses: github/evergreen@v1.12.0

From the logs:

Download action repository 'github/evergreen@v1.12.0' (SHA:8d2d4117eadbbfa4c33828364cc4c88fea908192)
...
Pull down action image 'ghcr.io/github/evergreen:v1'

Expected behavior

It should retrieve the specific minor version

Screenshots

No response

Additional context

More context: https://github.com/github/evergreen/discussions/213

zkoppert commented 2 months ago

Here is a temporary work around for this issue: 

jobs:
  my_first_job:
    steps:
      - name: My first step
        uses: docker://ghcr.io/github/evergreen:v1.12.0
github-actions[bot] commented 1 month ago

This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days.