Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump @actions/core from 1.8.0 to 1.8.2 #473

Merged
merged 2 commits into from Jun 1, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 16, 2022

Bumps @actions/core from 1.8.0 to 1.8.2.

Changelog

Sourced from @​actions/core's changelog.

1.8.2

  • Update to v2.0.1 of @actions/http-client #1087

1.8.1

  • Update to v2.0.0 of @actions/http-client
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 16, 2022
@dependabot dependabot bot requested a review from a team May 16, 2022
Copy link
Contributor

@kamilsk kamilsk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rebase after #470 is needed

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from 41aefc4 to dbd1808 Compare May 16, 2022
@kamilsk kamilsk self-requested a review May 16, 2022
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from dbd1808 to c947694 Compare May 16, 2022
@ldez
Copy link
Member

ldez commented May 16, 2022

it feels like commits created in the GHA are skipped, I will check something in the settings.

@ldez
Copy link
Member

ldez commented May 16, 2022

I checked and it doesn't seem related to what I was thinking.

@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch 2 times, most recently from 94853ad to d06b54c Compare May 16, 2022
@kamilsk
Copy link
Contributor

kamilsk commented May 16, 2022

I tried:

it didn't help

image

the build does not restart in this case. jfyi

@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from f2b487d to c947694 Compare May 16, 2022
@SVilgelm
Copy link
Member

I know about this issue, the system token GH_TOKEN cannot trigger other workflows to avoid recursion, the only way is using PAT, but there is another issue - dependabot has no access to the main secrets. @ldez, if you have an access to the glance bot secrets, or if no, then generate a temporary one and add the secret to dependabot's section in the repo settings:
Screen Shot 2022-05-16 at 9 59 16 AM

then we need to change the workflow to use PAT

@ldez
Copy link
Member

ldez commented May 16, 2022

The dependabot doesn't use any secret or token, we don't use the Github API to create commits.

https://github.com/golangci/golangci-lint-action/blob/master/.github/workflows/test.yml

@SVilgelm
Copy link
Member

The dependabot doesn't use any secret or token, we don't use the Github API to create commits.

https://github.com/golangci/golangci-lint-action/blob/master/.github/workflows/test.yml

            git config --local user.name "dependabot[bot]"
            git config --local user.email "49699333+dependabot[bot]@users.noreply.github.com"
            git add --update
            git commit --message="Update dist files"
            git push

then how this works?

@ldez
Copy link
Member

ldez commented May 16, 2022

then how this works?

This is the secret sauce of GitHub and Dependabot.

We don't provide any token for this bot and we don't call the GitHub API.

The dependabot secrets don't allow overriding secrets named GITHUB_*, and there is no option to change the "token" that uses dependabot.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-encrypted-secrets-for-dependabot

Remember that the dependabot doesn't need to be installed, it's not an application but just a GitHub "feature".

Do you have links to documentation or something else?

@kamilsk
Copy link
Contributor

kamilsk commented May 16, 2022

folks, what do you think if we rethink this part? for me, "push changes" while you check them is a foot gun

cannot trigger other workflows to avoid recursion

what if this step will be a part of a push event?

@kamilsk
Copy link
Contributor

kamilsk commented May 16, 2022

if

      - name: Update dist files
        if: github.event_name == 'push'

then try to update dist in the main branch instead of the current approach

@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from 8745322 to de5c087 Compare May 16, 2022
@kamilsk kamilsk requested review from ldez, SVilgelm and sayboras May 16, 2022
@kamilsk
Copy link
Contributor

kamilsk commented May 16, 2022

please take a look on de5c087

@ldez
Copy link
Member

ldez commented May 16, 2022

The problem will be worse because creating a commit on master without a real user will not really work well.
Otherwise, the dirty check is important.

@kamilsk
Copy link
Contributor

kamilsk commented May 16, 2022

The problem will be worse because creating a commit on master without a real user will not really work well.

why? now the same commit will be created on a feature branch. what is the difference?

and this scheme works well:

@kamilsk
Copy link
Contributor

kamilsk commented May 23, 2022

The problem will be worse because creating a commit on master without a real user will not really work well.
Otherwise, the dirty check is important.

@ldez let's remove "changing state" part and leave the dirty check. someone will do it manually. what do you think?

@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from de5c087 to c947694 Compare May 24, 2022
@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from 72cf77d to c264fca Compare Jun 1, 2022
kamilsk
kamilsk approved these changes Jun 1, 2022
@kamilsk kamilsk force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from c264fca to 5d8e5c2 Compare Jun 1, 2022
@kamilsk
Copy link
Contributor

kamilsk commented Jun 1, 2022

@dependabot recreate

Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.8.0 to 1.8.2.
- [Release notes](https://github.com/actions/toolkit/releases)
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/actions/core-1.8.2 branch from 5d8e5c2 to 1737dfa Compare Jun 1, 2022
@kamilsk kamilsk merged commit 4210566 into master Jun 1, 2022
18 checks passed
@kamilsk kamilsk deleted the dependabot/npm_and_yarn/actions/core-1.8.2 branch Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants