-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot doesn't always update version comments for hash-pinned actions/checkout@v3 to @v4 #8011
Comments
We've seen a variant of this with other actions as well, including More generally, it looks like Dependabot fails to update the version comment unless the pre-existing comment exactly matches the previous version. This means that any manual update of a workflow (or any other mechanism that fails to update the comment) ends up causing "cascading" stale version comments. |
Did a bit more looking, and this appears to be the more generic underlying issue: #7912 |
But in my linked cases, there dont seem to be any incorrect version comments. This is clearest when comparing the diffs in the case where the version comment was successfully updated from 3.6.0 to 4.0.0 and the case where it wasn't updated from the same 3.6.0: https://github.com/AOMediaCodec/libavif/pull/1571/files (failed): steps:
- name: Checkout the repository
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0 https://github.com/pnacht/dependabot-actions-checkout-v3-to-v4/pull/1/files (worked) steps:
- name: foo
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 In both cases, the original hash and version comments are identical. But the version comment is only updated in one of them. |
Similarly, in github/docs-internal we got: - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.0.0 See: https://github.com/github/docs-internal/pull/48056/files So it was from one version of v4.x to another version of v4.x Reported also in: https://github.slack.com/archives/CJTN025GX/p1702913564450489 |
Is there an existing issue for this?
Package ecosystem
github-actions
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
Failing:
Working:
Updated dependency
Bumping hash-pinned
actions/checkout
from anyv3.x
to the newv4.0.0
.What you expected to see, versus what you actually saw
What I see: The PR to update a hash-pinned
actions/checkout
fromv3.x
tov4.0.0
sometimes only updates the hash, not the version comment.What I expect: The PR should always update the version comment, as it does for other GitHub Actions (i.e. AOMediaCodec/libavif#1542)
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
Two examples:
In both cases (one starting from
v3.6.0
, the otherv3.1.0
), we see all references toactions/checkout
get an updated hash, but the version comments are unchanged.In an attempt to create a minimal reproducible example, I created an example that actually works, even though the
uses
statement and dependabot files are equivalent:Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: