Closed ybelMekk closed 2 years ago
Hi @ybelMekk
Thank you for opening a PR! Could you help me understand this a bit more:
But i noticed when using automated dependency updates, like Dependabot, it updates but, it makes the ratchet inconsistent, the original constraint dont match the update, example;
What is dependabot doing? Is this a custom dependabot integration or are there some documents you could point me to?
Ratchet intentionally won't bump a constraint. In your example, it will pick up the latest checksum in the v2
series, but it will not pull from the v3
series. To do that, you would either manually edit the comment and run ratchet update
, or run ratchet unpin
, edit, and run ratchet pin
.
What is dependabot doing? Is this a custom dependabot integration or are there some documents you could point me to?
Ratchet intentionally won't bump a constraint. In your example, it will pick up the latest checksum in the
v2
series, but it will not pull from thev3
series. To do that, you would either manually edit the comment and runratchet update
, or runratchet unpin
, edit, and runratchet pin
.
ok, no custom, dependabot .yml in your workflows folder;
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: "weekly"
Dependabot sends a PR to update github actions upload-artifact
from 2.31 to 3;
- name: Upload
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # ratchet:actions/upload-artifact@v2
Original pinned ratchet main.yaml
- name: Upload
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # ratchet:actions/upload-artifact@v2
notice the ratchet is not updated but the hash is, but if if you now have a workflow, say called ratchet.yaml
that only run when there are changes tot the workflows file;
name: Check pinned workflows
on:
push:
paths:
- '.github/workflows/**'
jobs:
ratchet:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # ratchet:actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: Check if main.yml is pinned
uses: 'docker://ghcr.io/sethvargo/ratchet@sha256:35c4b5f020000ee9c77a4af7cbe04f1d3e88718e533e6cb949146d4dc2c89220' # ratchet:docker://ghcr.io/sethvargo/ratchet:0.2.1
with:
args: 'check --consistent .github/workflows/main.yml'
The flag --consistent with check command in Ratchet will then fail to help the developer keep the consistency in their pinned workflow, then run the update command either manually or in samme workflow.
Ok, i see what you meant.. missing some logic in the PR. š š¤
Closing this for now, and come back with a new one.
First off all, thanks for this cool project! šš¾
I started to use this in my Github CI workflows and found out a thing i was thinking of submitting an issue, but its boring so i tried me on a PR.
Ive set it up similar to this;
But i noticed when using automated dependency updates, like Dependabot, it updates but, it makes the ratchet inconsistent, the original constraint dont match the update, example;
before PR;
after PR;
The comment constraint
# ratchet:actions/upload-artifact@v2
should in this case be# ratchet:actions/upload-artifact@v3
With this useful flag
--consistent
withcheck
command in Ratchet when in a CI environment and activated automated dependency updates e.g. Dependabot, the workflow will fail fast with a message:found 1 mismatch between ref and constraint: [{"good/repo@2541b1294d2704b0964813337f33b291d3f8596b" "good/repo@v0" "4"}]
and you have to update the version, keeping the inconsistency away š”ļø ..