Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot doesn't always update version comments for hash-pinned actions/checkout@v3 to @v4 #8011

Open
1 task done
pnacht opened this issue Sep 11, 2023 · 4 comments
Open
1 task done
Labels
T: bug 🐞 Something isn't working

Comments

@pnacht
Copy link

pnacht commented Sep 11, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

Failing:

Working:

Updated dependency

Bumping hash-pinned actions/checkout from any v3.x to the new v4.0.0.

What you expected to see, versus what you actually saw

What I see: The PR to update a hash-pinned actions/checkout from v3.x to v4.0.0 sometimes only updates the hash, not the version comment.

What I expect: The PR should always update the version comment, as it does for other GitHub Actions (i.e. AOMediaCodec/libavif#1542)

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Two examples:

In both cases (one starting from v3.6.0, the other v3.1.0), we see all references to actions/checkout get an updated hash, but the version comments are unchanged.

- actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+ actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0

In an attempt to create a minimal reproducible example, I created an example that actually works, even though the uses statement and dependabot files are equivalent:

Smallest manifest that reproduces the issue

No response

@woodruffw
Copy link

We've seen a variant of this with other actions as well, including ruby/setup-ruby.

More generally, it looks like Dependabot fails to update the version comment unless the pre-existing comment exactly matches the previous version. This means that any manual update of a workflow (or any other mechanism that fails to update the comment) ends up causing "cascading" stale version comments.

xref: sigstore/protobuf-specs#139

@woodruffw
Copy link

Did a bit more looking, and this appears to be the more generic underlying issue: #7912

@pnacht
Copy link
Author

pnacht commented Sep 15, 2023

But in my linked cases, there dont seem to be any incorrect version comments.

This is clearest when comparing the diffs in the case where the version comment was successfully updated from 3.6.0 to 4.0.0 and the case where it wasn't updated from the same 3.6.0:

https://github.com/AOMediaCodec/libavif/pull/1571/files (failed):

    steps:
      - name: Checkout the repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.6.0

https://github.com/pnacht/dependabot-actions-checkout-v3-to-v4/pull/1/files (worked)

    steps:
      - name: foo
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+       uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

In both cases, the original hash and version comments are identical. But the version comment is only updated in one of them.

@peterbe
Copy link

peterbe commented Dec 18, 2023

Similarly, in github/docs-internal we got:

-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.0.0

See: https://github.com/github/docs-internal/pull/48056/files

So it was from one version of v4.x to another version of v4.x

Reported also in: https://github.slack.com/archives/CJTN025GX/p1702913564450489

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants