Ignore version range syntax should be clarified in docs

[atc0005]

Package manager/ecosystem

Docker

Manifest contents prior to update

https://github.com/atc0005/go-ci/pull/97/files/f9369a5e301acae0734bf29d1c4325a010738426#diff-79766e84403986272abd7f1d1582772c90f8d915cf006ce554728cfcf889ad92

Updated dependency

Current: golang:1.14.9
Offered via PR: golang:1.15.3

What you expected to see, versus what you actually saw

• Actual:

  • Current: golang:1.14.9
  • Offered via PR: golang:1.15.3

• Expected

  • Current: golang:1.14.9
  • Offered via PR: golang:1.14.10

Images of the diff or a link to the PR, issue or logs

Pull Request: https://github.com/atc0005/go-ci/pull/97/files
Config file: https://github.com/atc0005/go-ci/blob/039d93973ad7c9f5983557ab144b2baa1988fe59/.github/dependabot.yml#L61-L85

[jurre]

You specified the ignore condition as versions: ["1.15.x"], but that's not a valid version range for docker, I think if you changed that to versions: ["1.15"] it should work as expected

[atc0005]

@jurre thanks, I'll give that a try and report back.

[atc0005]

@jurre I've made the changes and forced another check (https://github.com/atc0005/go-ci/network/updates), but no changes to the existing PR. I also issued a recreate command, but same scenario.

Is this a case where I have to refuse the PR, make the change myself and wait for the next upstream image release to confirm that the next PR has the intended behavior?

[jurre]

Is this a case where I have to refuse the PR, make the change myself and wait for the next upstream image release to confirm that the next PR has the intended behavior?

Yeah I think so, we can't change the version proposed in a PR once it's opened, although you may not have to wait for the next release, you may get a PR if you trigger a new update via the link you shared. Would you try closing the existing PR and triggering a new run?

[atc0005]

@jurre: you may get a PR if you trigger a new update via the link you shared. Would you try closing the existing PR and triggering a new run?

Thanks for the feedback.

I gave that a try, but it doesn't appear that the config file changes have been picked up/honored. Here are the log messages from a forced recheck:

  proxy | time="2020-10-15T14:27:17Z" level=info msg="proxy starting" commit=153432828ee10980cbc35a4a9f83346fe63dc4be
  proxy | 2020/10/15 14:27:17 Listening (:1080)
updater | 2020-10-15T14:27:17.747516851 [66064224:WARN:src/devices/src/legacy/serial.rs:319] Detached the serial input due to peer error/close.
updater | time="2020-10-15T14:27:19Z" level=info msg="guest starting" commit=5379c22ce4c323ffd6c4f33620e3a5dd93a51cd6
updater | time="2020-10-15T14:27:19Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=66064224 updater_timeout=45m0s updater_version=0.123.0-6d99028f1b5ee20933e6c22fef1b8531121fd768
updater | yarn config v1.22.5
updater | success Set "cafile" to "/etc/ssl/certs/ca-certificates.crt".
updater | Done in 0.03s.
updater | I, [2020-10-15T14:27:22.230288 #72]  INFO -- sentry: ** [Raven] Raven 3.1.1 ready to catch errors
updater | INFO <job_66064224> Starting job processing
  proxy | 2020/10/15 14:27:24 [002] GET https://api.github.com:443/repos/atc0005/go-ci/git/refs/heads/master
  proxy | 2020/10/15 14:27:24 * authenticating github api request
  proxy | 2020/10/15 14:27:24 [002] 200 https://api.github.com:443/repos/atc0005/go-ci/git/refs/heads/master
  proxy | 2020/10/15 14:27:24 [004] GET https://api.github.com:443/repos/atc0005/go-ci/contents/oldstable?ref=445a547af78d348c5155c957be451f97935e7bdf
  proxy | 2020/10/15 14:27:24 * authenticating github api request
  proxy | 2020/10/15 14:27:24 [004] 200 https://api.github.com:443/repos/atc0005/go-ci/contents/oldstable?ref=445a547af78d348c5155c957be451f97935e7bdf
  proxy | 2020/10/15 14:27:24 [007] GET https://github.com:443/atc0005/go-ci/info/refs?service=git-upload-pack
  proxy | 2020/10/15 14:27:24 * authenticating git server request (host: github.com)
  proxy | 2020/10/15 14:27:24 [007] 200 https://github.com:443/atc0005/go-ci/info/refs?service=git-upload-pack
  proxy | 2020/10/15 14:27:25 [009] POST https://github.com:443/atc0005/go-ci/git-upload-pack
  proxy | 2020/10/15 14:27:25 * authenticating git server request (host: github.com)
  proxy | 2020/10/15 14:27:25 [009] 200 https://github.com:443/atc0005/go-ci/git-upload-pack
  proxy | 2020/10/15 14:27:25 [011] POST https://github.com:443/atc0005/go-ci/git-upload-pack
  proxy | 2020/10/15 14:27:25 * authenticating git server request (host: github.com)
  proxy | 2020/10/15 14:27:25 [011] 200 https://github.com:443/atc0005/go-ci/git-upload-pack
updater | INFO <job_66064224> Finished job processing
updater | time="2020-10-15T14:27:25Z" level=info msg="task complete" container_id=job-66064224-file-fetcher exit_code=0 job_id=66064224 step=fetcher
updater | yarn config v1.22.5
updater | success Set "cafile" to "/etc/ssl/certs/ca-certificates.crt".
updater | Done in 0.04s.
updater | I, [2020-10-15T14:27:27.663402 #73]  INFO -- sentry: ** [Raven] Raven 3.1.1 ready to catch errors
updater | INFO <job_66064224> Starting job processing
updater | INFO <job_66064224> Starting update job for atc0005/go-ci
updater | INFO <job_66064224> Checking if golang 1.14.9 needs updating
  proxy | 2020/10/15 14:27:29 [015] GET https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2020/10/15 14:27:29 [015] 401 https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2020/10/15 14:27:30 [017] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [017] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [019] GET https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2020/10/15 14:27:30 [019] 200 https://registry.hub.docker.com:443/v2/library/golang/tags/list
  proxy | 2020/10/15 14:27:30 [021] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2020/10/15 14:27:30 [021] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2020/10/15 14:27:30 [023] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [023] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [025] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2020/10/15 14:27:30 [025] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/latest
  proxy | 2020/10/15 14:27:30 [027] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.15.3
  proxy | 2020/10/15 14:27:30 [027] 401 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.15.3
  proxy | 2020/10/15 14:27:30 [029] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [029] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fgolang%3Apull
  proxy | 2020/10/15 14:27:30 [031] HEAD https://registry.hub.docker.com:443/v2/library/golang/manifests/1.15.3
  proxy | 2020/10/15 14:27:31 [031] 200 https://registry.hub.docker.com:443/v2/library/golang/manifests/1.15.3
updater | INFO <job_66064224> Latest version is 1.15.3
updater | INFO <job_66064224> Pull request already exists for golang with latest version 1.15.3
updater | INFO <job_66064224> Finished job processing
updater | time="2020-10-15T14:27:31Z" level=info msg="task complete" container_id=job-66064224-updater exit_code=0 job_id=66064224 step=updater

[atc0005]

Not trying to be pushy, but I wanted to confirm that the behavior is still present (in case recent comments to this issue were unclear).

atc0005/go-ci#119

This PR replaces Go 1.14.10 with 1.15.4 instead of 1.14.11.

[atc0005]

I'm not sure whether this was fixed separately, or whether the changes I made yesterday resolved the issue, but here are my changes:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6025eac..ebcce88 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -71,8 +71,11 @@ updates:
         # Ignore updates from series associated with "stable" container.
         #
         # Note: The version specified here should always be one ahead of the
-        # version used by the "oldstable" container.
-        versions: ["1.15"]
+        # version used by the "oldstable" container. (GH-100)
+        # versions: ["1.15"]
+        versions:
+          - ">= 1.15"
+          - "< 1.14"
     assignees:
       - "atc0005"
     labels:

This resulted in atc0005/go-ci#158 being created as intended: Go 1.14.12 to 1.14.13 instead of a jump from 1.14.x to 1.15.x.

Credit: https://github.com/Graylog2/graylog-docker/blob/6d5293342f846b347fe07a4841369e8d47c7cd3e/.github/dependabot.yml

I saw that change come through and borrowed the syntax for my own config file. It seems to have resolved the problem.

[jurre]

Hi @atc0005, happy to see you solved it!

It seems like we're falling back on the bundler syntax for docker images, I think that's a bit confusing, but it makes sense, given that a bunch of things are based off the bundler implementation.

[atc0005]

Hi @atc0005, happy to see you solved it!

It seems like we're falling back on the bundler syntax for docker images, I think that's a bit confusing, but it makes sense, given that a bunch of things are based off the bundler implementation.

Thanks. So perhaps this isn't a bug in Dependabot, but a documentation omission?

[jeffwidman]

I'm going to close as it seems this got figured out. The docs bit I'm unclear about, if you think they need improvement feel free to submit a PR (GitHub docs all have an edit button).

[atc0005]

@jeffwidman The docs bit I'm unclear about

Hi Jeff,

I was referring to this comment by @jurre:

It seems like we're falling back on the bundler syntax for docker images, I think that's a bit confusing, but it makes sense, given that a bunch of things are based off the bundler implementation.

The syntax that your team expected to work did not and the syntax needed wasn't documented in a way that was clear (at least to me).

For example, the https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore coverage notes:

versions—use to ignore specific versions or ranges of versions. If you want to define a range, use the standard pattern for the package manager (for example: ^1.0.0 for npm, or ~> 2.0 for Bundler).

Not knowing the Bundler syntax (or YAML all that well), it doesn't appear that the documentation covers this syntax to ignore unwanted updates for anything but the 1.14 series:

      ignore:
        versions:
          - ">= 1.15"
          - "< 1.14"

@jeffwidman if you think they need improvement feel free to submit a PR

That's fair, but while the problem was solved for me by updating the syntax of the config block, I wasn't given the impression that the fix would be viable long-term. Evidently I was wrong as the syntax continues to work even now.

[jeffwidman]

Thanks, I'm going to re-open this, as your explanation makes a lot of sense so I do think there's some action we could take here. I'm not sure if it's a docs fix, or if the supported syntax should be made "more docker-like", as I haven't really dug into this, but something can certainly be improved...

[deivid-rodriguez]

In my opinion, all that's needed here is to update ignore documentation with some generic syntax that should work regardless of the package manager. I updated labels and issue title accordingly.

[kbocock-krg]

Please add the ability to support complex docker tags. Ex. python:3.10-alpine3.18. Suggest adding a regex option.