-
Notifications
You must be signed in to change notification settings - Fork 947
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Actions - full patch versions are bumped to minimal new major versions #4768
Comments
This looks like an inconsistent regression. My |
Yes, actually another PR in another one of my repos was raised correctly. It bumped |
Just had a bunch more of these types of PRs opened. Wish there was a way to force dependabot to recreate them using the full version number. Here's the relevant logs for the above PRs incase they help at all.
|
My suspicion is that, since a tag like v3 is probably more recent than v3.0.0 (example: actions/checkout v3 created 2022-03-01 12:49 GMT-5, v3.0.0 created 2022-03-01 12:46 GMT-5), dependabot uses v3 instead of v3.0.0 because it's more recent. |
Added to a discussion at community/community#12303 |
Just had a PR that updated from |
I just had a couple of these for version of a GitHub action going from full v3.14.0 to just v4 rather than v4.0.0. But in a PR for a maven dependency in another repo it did the right thing from a version 1.2.0 to 2.0.0. |
Was this fixed in #4953? |
Today I got a PR going from v2.1.0 to v3.0.0 (there's a v3 tag for the action) so this worked as expected in this scenario. xt0rted/slash-command-action#505 Looks like I have a couple PRs in private repos that are also working as expected now:
|
I also had all my PRs today using the correct level of precision. |
Just wanted to add that if you are currently pinning to a patch version of an action you might also consider pinning to the full sha instead. You'll still get a Dependabot PR for each patch version bump (updating to the latest release sha) and have better immutability guarantees (https://docs.github.com/en/github-ae@latest/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). I don't think that sha updates were affected by this bug. |
@mctofu oh, thank you, that is good to know! Initially, I used shas everywhere, but I switched to using patch versions because I found it too cumbersome to work with the shas manually. But if dependabot takes care of shas for me, I'll probably switch back. |
Package ecosystem
![image](https://user-images.githubusercontent.com/677704/155833820-a89d80e2-d8c9-4a51-af9d-2c2fc101cef5.png)
GitHub Actions
Package manager version
n/a
Language version
n/a
Manifest location and content prior to update
https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/workflows/ci.yml#L28
dependabot.yml content
https://github.com/adamralph/bullseye/blob/bbf7aef61a19ab8a78af7d11f36aabc4d5d0acf4/.github/dependabot.yml
Updated dependency
actions/setup-dotnet, from
1.9.1
to2
What you expected to see, versus what you actually saw
I expected to see the dependency update from
1.9.1
to2.0.0
. The convention with GitHub Actions is to continually move tags like1
and2
to match the latest patch version, e.g.1.9.1
,2.3.4
etc. I am deliberately not using tags like1
and2
. I am using the full patch version, e.g.1.9.1
for better build reproducibility. If the current version is a full version, e.g.1.9.1
then dependabot should not update that version to2
. It should update it to2.0.0
.Native package manager behavior
n/a
Images of the diff or a link to the PR, issue or logs
🕹 Bonus points: Smallest manifest that reproduces the issue
The text was updated successfully, but these errors were encountered: