Bump MrOctopus/download-asset-action from 1.0 to 1.1 in /workflow-templates #396
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [MrOctopus/download-asset-action](https://github.com/mroctopus/download-asset-action) from 1.0 to 1.1. - [Release notes](https://github.com/mroctopus/download-asset-action/releases) - [Commits](MrOctopus/download-asset-action@1.0...1.1) --- updated-dependencies: - dependency-name: MrOctopus/download-asset-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
The problem with the MrOctopus/download-asset-action action (MrOctopus/download-asset-action#8) that caused the CI failures at the time the PR was submitted has been fixed (MrOctopus/download-asset-action@d66a497), but the fact that a fundamentally broken release was made in the first place (indicating there is no validation/quality control of the action whatsoever), and then the way the fix was deployed (by moving the existing 1.1 tag instead of making a new tag) tells me that we should try to migrate away from using MrOctopus/download-asset-action if possible.
| @@ -61,7 +61,7 @@ jobs: | |||
|
|
|||
| - name: Download latest editorconfig-checker release binary package | |||
| id: download | |||
| uses: MrOctopus/download-asset-action@1.0 | |||
| uses: MrOctopus/download-asset-action@1.1 | |||
There was a problem hiding this comment.
Starting from version 2.0.0, the editorconfig-checker/action-editorconfig-checker action now acts as an installer for the editorconfig-checker tool (similar to how the actions/setup-* actions work). This means it can serve as a replacement for the MrOctopus/download-asset-action action in this specific application of installing editorconfig-checker.
There was a problem hiding this comment.
Installation of editorconfig-checker via go install is now well supported.
This approach would allow us to manage the version of the tool dependency via the Go modules system and Dependabot, as suggested for shfmt (#396 (comment)) and gon (#360 (comment)), as well as other Go-based tool dependencies (which could even include Task).
| @@ -144,7 +144,7 @@ jobs: | |||
|
|
|||
| - name: Download shfmt | |||
| id: download | |||
| uses: MrOctopus/download-asset-action@1.0 | |||
| uses: MrOctopus/download-asset-action@1.1 | |||
There was a problem hiding this comment.
An alternative approach to installation would be using go install (which was not available for use at the time the template was written). This is an officially supported installation method for the tool:
https://github.com/mvdan/sh#shfmt
My personal preference would be to use that installation approach in combination with a dummy "tools" Go package, which would allow controlled bumps of the tool dependency via automated Dependabot PRs. However, we could also just use go install mvdan.cc/sh/v3/cmd/shfmt@latest to get simple uncontrolled installation as is done with the current approach.
| @@ -93,7 +93,7 @@ jobs: | |||
|
|
|||
| - name: Download latest ShellCheck release binary package | |||
| id: download | |||
| uses: MrOctopus/download-asset-action@1.0 | |||
| uses: MrOctopus/download-asset-action@1.1 | |||
There was a problem hiding this comment.
An alternative approach to installation would be APT, which is an officially supported installation method:
https://github.com/koalaman/shellcheck#installing
However, the version in the Ubuntu 22.04 package repository is outdated:
https://launchpad.net/ubuntu/jammy/+source/shellcheck
So I think that is an unsuitable method.
The Snap package is another officially supported installation method, and the package is up to date:
https://snapcraft.io/shellcheck
So I think this would be the best alternative to the current release binary download installation method.
Bumps MrOctopus/download-asset-action from 1.0 to 1.1.
Release notes
Sourced from MrOctopus/download-asset-action's releases.
Commits
175b1afUpdated package.json version to 1.1.0d81f005Updated node_modulesYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)