-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] Renovate upgrades to v1.3.0: no assets to download #1250
Comments
Thanks. The v1.3.0 is marked as "pre-release", until we run all the pre-release tests. Can renovatebot be configured to not send PRs in this case? I know that dependabot does not, for example. We have this issue to also update the documentation #1219 |
@rarkins Could you point us in the right direction? |
In future I recommend against using stable semver versions for pre-releases, as you may confuse humans and bots alike. Renovate is upgrading tags here, and tags don't have prerelease designations - only releases do. If you are using either assets or release metadata (prerelease) then we'd need to switch to using GitHub releases only and no longer tags (even though GitHub Actions works off tags, as far as I'm aware). This means any tag you intend to be stable but which is missing a release would be ignored, as well as any release you designate as unstable. |
@rarkins Thanks for the suggestions. Unfortunately we need to do pre-release tests which require exercising our verifier which requires us to use semver tags. We uncheck the pre-release checkbox after pre-release tests are done. That's really the only way for us to properly test the releases. As a GHA CI/CD tool, we need to test after the tag is created and the reusable workflow is tied to this repository. So running tests in another repository risks us breaking production releases because of differences in repo settings etc. and we can't create separate non-semver tags for pre-releases because our SLSA verifier requires semver tags. It feels like we're a strange edge case for this kind of thing... |
It seems like Renovate should switch to looking up releases instead of tags, in which case this pre-release flag is known and such PRs shouldn't be raised. I created a bug on Renovate and after confirmation from my co-maintainers we'll try to prioritize this change getting into production quickly: renovatebot/renovate#19033 |
Thanks @rarkins, let see what happens |
Heads-up: we closed the Renovate issue. It looks like the problem is not with Renovate: 1
Footnotes |
To resolve this problem for SLSA we'll instead move this forward: renovatebot/renovate#19032 What this means is that we'll supplement github tags with github releases metadata whenever they correlate, which means we'll learn that 3.0.0 in this case is pre-release and therefore suppress it by default |
Thank you for the quick follow-up. Do you know how hard it is to implement and the timeline you envisage? |
I estimate 1-2 weeks |
This works as expected after updating, using renovate, slsa-framework/slsa-github-generator action to v1.4.0 |
Thanks @konstruktoid |
I think this should be solved now that renovatebot/renovate#19032 was finished and we now do RC releases to mitigate this issue. |
Describe the bug
https://github.com/konstruktoid/ansible-role-hardening/actions/runs/3512750596/jobs/5884806849#step:2:557
https://github.com/konstruktoid/ansible-role-docker-rootless/actions/runs/3514186184/jobs/5887905261#step:2:557
https://github.com/konstruktoid/hardening/actions/runs/3514179542/jobs/5887890423#step:2:557
Additional context
Renovate upgrades slsa-framework/slsa-github-generator action to v1.3.0
konstruktoid/ansible-role-hardening#208
konstruktoid/ansible-role-docker-rootless#90
konstruktoid/hardening#199
The text was updated successfully, but these errors were encountered: