[CI] Bump last occurrence of actions/checkout@v2 to v3

[DimitriPapadopoulos]

No description provided.

[codecov]

Codecov Report

Base: 88.57% // Head: 88.57% // No change to project coverage 👍

Coverage data is based on head (56ce732) compared to base (a98ea74).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1303   +/-   ##
=======================================
  Coverage   88.57%   88.57%           
=======================================
  Files           6        6           
  Lines        1042     1042           
=======================================
  Hits          923      923           
  Misses        119      119           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[Remi-Gau]

@DimitriPapadopoulos

I think our dependabot should take care of this.

bids-specification/.github/dependabot.yml

Line 5 in a98ea74

- package-ecosystem: "github-actions"

Or at least should have. @sappelhoff Are we missing something?

[sappelhoff]

yes, this should be taken care of by the bot 🤔 not sure why it wasn't triggered today, because it's set to "weekly" and it's Monday. 🤷‍♂️

I think we should rather fix the bot (potentially in this PR) than merge the manual changes

[DimitriPapadopoulos]

In past pull requests, I can see dependabot updating all actions except actions/checkout:

• Bump codecov/codecov-action from 1 to 3 #1172
• Bump actions/setup-node from 2 to 3 #1173
• Bump actions/setup-python from 3 to 4 #1174
• Bump codecov/codecov-action from 2 to 3 #1243
• Bump actions/upload-artifact from 2 to 3 #1244
• Bump actions/upload-artifact from 2 to 3 #1244

The merge request that introduced .github/dependabot.yml is #1168 from 1 Aug. At that point, all actions/checkout actions were already at @v3, after a manual update in #1044. The @v2 was introduced by #1252 on 25 Aug and never fixed by dependabot. Will have to find why...

[DimitriPapadopoulos]

I don't think I have access to dependabot logs to fix this. Someone else will have to look into this. Among possible reasons:

• Dependabot cannot update to the required version as there is already an open pull request for the latest version
• Dependabot cannot open any more pull requests

[sappelhoff]

Where would I find the dependabot logs?

[DimitriPapadopoulos]

I don't have much experience with Dependabot. Perhaps Troubleshooting Dependabot errors will help:

Investigating errors with Dependabot security updates

When Dependabot is blocked from creating a pull request to fix a Dependabot alert, it posts the error message on the alert. The Dependabot alerts view shows a list of any alerts that have not been resolved yet. To access the alerts view, click Dependabot alerts on the Security tab for the repository.

Investigating errors with Dependabot version updates

When Dependabot is blocked from creating a pull request to update a dependency in an ecosystem, it posts the error icon on the manifest file. The manifest files that are managed by Dependabot are listed on the Dependabot tab. To access this tab, on the Insights tab for the repository click Dependency graph, and then click the Dependabot tab.

[DimitriPapadopoulos]

Ah, based on the above, I think I do have access to the logs:
https://github.com/bids-standard/bids-specification/network/updates/469294046

Somehow, I think that because all other actions/checkout actions are already at version @v3, the single occurrence of @v2 goes unnoticed or is skipped on purpose:

INFO <job_469294046> Checking if actions/checkout 3 needs updating
  proxy | 2022/09/26 08:32:18 [015] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/09/26 08:32:18 [015] * authenticating git server request (host: github.com)
  proxy | 2022/09/26 08:32:18 [015] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_469294046> Latest version is 3
updater | INFO <job_469294046> No update needed for actions/checkout 3

[sappelhoff]

Curious, that seems like a bug in the dependabot script then! I am fine with merging this then, thanks a lot for looking into it @DimitriPapadopoulos

[DimitriPapadopoulos]

Yes, probably a bug. Strangely enough, I can see two sets of actions/checkout dependencies under tab Dependencies:

[DimitriPapadopoulos]

After this request has been merged, the two distinct sets of actions/checkout dependencies have disappeared, but the count of actions/checkout dependencies still seems wrong to me (3 instead of 5):