Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bot does not bump all occurrences in GH actions #8647

Open
1 task done
Borda opened this issue Dec 19, 2023 · 3 comments
Open
1 task done

bot does not bump all occurrences in GH actions #8647

Borda opened this issue Dec 19, 2023 · 3 comments
Labels
T: bug 🐞 Something isn't working

Comments

@Borda
Copy link

Borda commented Dec 19, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

github actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

.github/dependabot.yaml

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

Found during bump artifact actions and reporting in actions/upload-artifact#480 that, in fact, the problem is that dependabot did not bump all occurrences (in particular composite actions) of specific action as you can see that in Lightning-AI/utilities#209 I had to bump download-artifact manually as it was missed in Lightning-AI/utilities#208

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response
@Borda Borda added the T: bug 🐞 Something isn't working label Dec 19, 2023
@carlincherry
Copy link
Member

Hi! Can you try using multi-directory support and grouping rules? That should work to update composite actions. cc @abdulapopoola

@jokarl
Copy link

jokarl commented Jun 5, 2024

Hi! Can you try using multi-directory support and grouping rules? That should work to update composite actions. cc @abdulapopoola

This solved my issue, but it is a lot of work getting this to work. We have many composite actions in a single repository, and we are forced to enumerate all of them in the directories array because wildcards aren't supported.

I thought that was enough, but simply adding all directories makes dependabot open a PR for the first outdated dependency it finds of a certain action. If you scan again, it simply says a PR already exists despite there being multiple instances left of that outdated dependency.

Adding groups as well as directories makes it more manageable, but to avoid overhead and missing dependencies we are forced to use * as a pattern because it is not reasonable to expect everyone to remember to update the pattern array of the dependabot file. This means, since we are always using major version tags for actions, that all major changes are in a single PR and requires rolling back all changes if something breaks, and then manually updating the dependencies one by one instead.

@carlincherry
Copy link
Member

forced to enumerate all of them in the directories array because wildcards aren't supported

We have a private beta going for wildcard support! Would you like to join? We anticipate GAing wildcard support within the next few weeks as well.

Thank you for your feedback as well!

to avoid overhead and missing dependencies we are forced to use * as a pattern because it is not reasonable to expect everyone to remember to update the pattern array of the dependabot file.

is there a more specific but still generalizable pattern that might work for you than *? I hear you on the pain of rolling back all changes if something breaks, and then manually updating the dependencies one by one instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Borda @jokarl @carlincherry