Actions: Consider precision of current version when selecting latest #4953
Conversation
| latest_tags = git_commit_checker.local_tags_for_latest_version_commit_sha | ||
|
|
||
| # Find the latest version with the same precision as the pinned version. | ||
| # Falls back to a version with the closest precision if no exact match. |
There was a problem hiding this comment.
I wasn't sure what to do here but assumed we'd probably run into this somewhere in the wild. A simpler option would be to refuse to update if we couldn't find a match?
There was a problem hiding this comment.
I think this approach is good, I think both outcomes are mildly surprising but failing over to some kind of update at least alerts the user to the new version and highlights that the tagging strategy on the library has changed.
Cases where we don't do anything are harder to relay to the end user without them reading the logs closely, so I think this is the better outcome.
There was a problem hiding this comment.
Do we have a test that covers the tie break behaviour?
I haven't gone over the existing tests outside the diff, but it occurs to me we might already be testing this as a variation on the current behaviour but I couldn't spot it.
There was a problem hiding this comment.
Nope, there were not. It's a bit of work to setup test fixtures for each case so I wanted to be sure we were OK with the approach first. I added some tests in aaa7703 by stubbing out the call to GitCommitChecker so the examples are easier to read.
| @@ -133,7 +133,7 @@ | |||
| let(:reference) { "1c24df3" } | |||
|
|
|||
| let(:repo_url) { "https://api.github.com/repos/actions/setup-node" } | |||
| let(:comparison_url) { repo_url + "/compare/v1.1.0...1c24df3" } | |||
| let(:comparison_url) { repo_url + "/compare/v1.1...1c24df3" } | |||
There was a problem hiding this comment.
This was a side effect of adding a v1.1 version to the test fixture.
Yeah they look related to git dependencies, but checked on a different branch and locally that the same errors exist, might be testing against some public deps that have changed |
| max_tag = tags. | ||
| max_by do |t| | ||
| version = t.name.match(VERSION_REGEX).named_captures. | ||
| fetch("version") | ||
| version_class.new(version) | ||
| end |
There was a problem hiding this comment.
This seems to be a duplication of lines 114-119, is it maybe worth extracting this to a method?
It took me a few minutes for the need to do the transform from the version back to the tags ( which are versions effectively and likely why I did a double-take 😅 ) on the commit sha to click, isolating this as a method might allow us to make it a little more expressive.
There was a problem hiding this comment.
I tried to improve this in 9d1dafb but open to any other naming suggestions!
| latest_tags = git_commit_checker.local_tags_for_latest_version_commit_sha | ||
|
|
||
| # Find the latest version with the same precision as the pinned version. | ||
| # Falls back to a version with the closest precision if no exact match. |
There was a problem hiding this comment.
I think this approach is good, I think both outcomes are mildly surprising but failing over to some kind of update at least alerts the user to the new version and highlights that the tagging strategy on the library has changed.
Cases where we don't do anything are harder to relay to the end user without them reading the logs closely, so I think this is the better outcome.
| context "using the full version" do | ||
| let(:reference) { "v1.0.0" } | ||
| it { is_expected.to eq(Dependabot::GithubActions::Version.new("2.1.3")) } | ||
| end |
| latest_tags = git_commit_checker.local_tags_for_latest_version_commit_sha | ||
|
|
||
| # Find the latest version with the same precision as the pinned version. | ||
| # Falls back to a version with the closest precision if no exact match. |
There was a problem hiding this comment.
Do we have a test that covers the tie break behaviour?
I haven't gone over the existing tests outside the diff, but it occurs to me we might already be testing this as a variation on the current behaviour but I couldn't spot it.
|
I've fixed the cargo things |
|
Not sure if this is working as expected. I've just got PR "Bump actions/setup-java from 2 to 3.1.1" |
|
Not sure if this is working as expected. I've just got existing, open PR "Bump actions/setup-java from 2 to 3" superseded by "Bump actions/setup-java from 2 to 3.1.1" |
|
The #4953 (comment) and #4953 (comment) happened in the short time while setup-java I still do not think, that the case of major-only version not advanced in the same time as point-release should cause observed behaviour. |
|
Thanks @pzygielo, that's a good catch! A mismatch in the One argument for keeping the current behavior is that creating a PR for the An argument against the current behavior is it's inconsistent with the behavior for updates within a major version. If you are currently on the I think it does make sense to try and preserve consistency and stick to upgrading from |
That's what happened in my cases, indeed. Should I accept the change "Bump actions/setup-java from 2 to 3.1.1" I'd be again in the loop of PRs for every bugfix release. (As x.x.x precision would be preferred then.) Thanks for checking. |
This attempts to address #4768
This has become noticeable recently with the release of the v3 versions of many github actions. The existing code to find the latest version did not deal with situations where multiple tags represented the latest version (v3, v3.0.0). Users that had pinned to a patch version were getting swapped to a major version (v2.1.5 -> v3) and some saw the opposite (v2 -> v3.0.0). Also, when v3.0.1 was released users pinned to a major version got updates to a patch version (v2 -> v3.0.1)
To work around this I've added a new method,
GitCommitChecker.local_tags_for_latest_version_commit_sha, which returns all the version tags attached to the commit for the latest version. I then updated the ActionsUpdateCheckerto try and choose the version tag that matches the precision of the current version.