Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicit set minor and patch version on used actions #4833

Merged
merged 3 commits into from
Aug 1, 2022

Conversation

yubiuser
Copy link
Member

@yubiuser yubiuser commented Jul 24, 2022

  • What does this PR aim to accomplish?:

Allow updates for GH actions by dependabot also for minor and patch versions. So far, we only specify major versions in our workflows. Therefore, dependabot will only check if new major versions exist and won't update the workflow on new minor or patch versions.

By explicitly setting minor and patch version we allow dependabot to update those as well.

E.g. action/stale@v5 is currently missing the close-issue-reason. This was added in v5.1.0. However, dependabot fails to recognize the update atm.

P.S. I expect some dependabot PRs after this has been merged. I did not update the versions manually to get the dependabot changelog.


By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code and I have tested my changes.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

  • I have read the above and my PR is ready for review. Check this box to confirm

@yubiuser yubiuser requested a review from a team July 24, 2022 12:41
@yubiuser
Copy link
Member Author

Smoke tests fails due to an upstream issue
editorconfig-checker/editorconfig-checker#213

@yubiuser yubiuser added the PR: Approval Required Open Pull Request, needs approval label Jul 24, 2022
@yubiuser
Copy link
Member Author

CodeQl does not seem to use .minor.patch versioning.

@PromoFaux
Copy link
Member

Are the minors and patches not rolled into the v3 action? I've never seen an example workflow use the full version number...

@DL6ER
Copy link
Member

DL6ER commented Jul 24, 2022

@PromoFaux I don't think so, when you go to any action page and click on "Use latest version", you get a yaml code suggestion like

Screenshot_2022-07-24-15-19-30-48_3aea4af51f236e4932235fdada7d1643~2

@PromoFaux
Copy link
Member

👀 - and that's not even the latest version!

@DL6ER
Copy link
Member

DL6ER commented Jul 24, 2022

Latest seems to be the most recently released one, not necessarily in agreement with the largest version number.

Screenshot_2022-07-24-15-28-47-05_3aea4af51f236e4932235fdada7d1643~2

@yubiuser
Copy link
Member Author

Currently latest versions:

checkout v3.0.2
stale v5.1.0
action-add-labels v1.1.0
action-editorconfig-checker v1.0.0
setup-python v4.1.0

@PromoFaux
Copy link
Member

Just throwing this in here.

Like Is said, I've never seen any docs point to using an exact version before - upstream actions owners should be moving the v2/v3 etc tags to point to the latest minor/patch version

It just feels like Dependabot will be opening unnecessary PRs at with this change. Taking the actions/checkout repo as an example:

image

v3 and v3.0.2 point to the same commit -Dependabot does not need to do anything 🤷

@PromoFaux
Copy link
Member

It appears only stale has not done this.

image

image

image

@yubiuser
Copy link
Member Author

yubiuser commented Jul 25, 2022

I see this is an issue with stale not moving their release to the latest commit.
However, I still think this a valid PR: we know exactly which action version we use, we see what's changed between versions and can easily revert if something breaks.
I'd like to know which software we are using. We always tell users to read our release notes, but for the actions we use we go mostly blindly so far.

@yubiuser
Copy link
Member Author

actions/stale#783

@yubiuser
Copy link
Member Author

To support my statement from above: currently, we have two issues with actions, stale and editorconfig-checker. If we would use explicit versions, one would not have occurred and the other one could mitigated by simply revert to the previous action version.

@PromoFaux
Copy link
Member

You might just have convinced me. I notice you have set everything to x.0.0, is that to test the dependabot action? Might be safer to set it off on a test repo first of all and then just pin these to whatever version we want to (rather than deal with a million different dependabot PRs after/if this is merged)

@yubiuser yubiuser force-pushed the workflow_versions branch 3 times, most recently from b138075 to 3f05b15 Compare July 25, 2022 21:46
PromoFaux
PromoFaux previously approved these changes Jul 30, 2022
@yubiuser yubiuser added PR: Approved Open Pull Request, Approved by required number of reviewers and removed PR: Approval Required Open Pull Request, needs approval labels Jul 30, 2022
yubiuser added 3 commits July 31, 2022 09:46
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
Signed-off-by: Christian König <ckoenig@posteo.de>
@yubiuser
Copy link
Member Author

Needs re-approval after force-push to amend pgp signature.

@yubiuser yubiuser requested a review from PromoFaux July 31, 2022 07:47
@PromoFaux PromoFaux merged commit 21158cb into development Aug 1, 2022
@PromoFaux PromoFaux deleted the workflow_versions branch August 1, 2022 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
internal PR: Approved Open Pull Request, Approved by required number of reviewers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants