Dependabot not detecting the latest version of a Github action

[tyrann0us]

Package ecosystem

• github-actions

Manifest location and content before the Dependabot update

• e.g. https://github.com/inpsyde/reusable-workflows/blob/main/.github/workflows/assets-compilation.yml#L64-L67

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"

Updated dependency

• nothing was updated

What you expected to see, versus what you actually saw
The workflow references the ramsey/composer-install action like so:

        uses: ramsey/composer-install@v1

In the Dependabot logs I see:

updater | INFO <job_346693526> Checking if ramsey/composer-install 1 needs updating
  proxy | 2022/04/14 20:12:36 [044] GET https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
  proxy | 2022/04/14 20:12:36 [044] * authenticating git server request (host: github.com)
  proxy | 2022/04/14 20:12:36 [044] 200 https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
updater | INFO <job_346693526> Latest version is 994bb194a4fefcf39449ccf0f7766a4318f1ac76
updater | INFO <job_346693526> No update needed for ramsey/composer-install 1

There are a couple of things off:

• The latest version is v2 (or to be correct v2.1.0 at the time of writing)
• The latest version's commit hash is f680dac46551dffb2234a240d65ae806c2999dd6
• The mentioned commit hash 994bb194a4fefcf39449ccf0f7766a4318f1ac76 is the last commit on the v1 branch
• But it's actually part of the v2 tag

I would expect Dependabot to create a PR and update this action to v2.

🕹 Bonus points: Smallest manifest that reproduces the issue

name: Test Dependabot update
on:
  workflow_dispatch:
jobs:
  test-dependabot:
    runs-on: ubuntu-latest
    steps:
      - uses: ramsey/composer-install@v1

(Untested)

Notes
This is a follow-up of #4834 (comment).
CC @mctofu, @greysteil, @jurre, @jakecoffman

[jeffwidman]

@tyrann0us Did #5516 fix this?

#5576 will also change the behavior slightly of how actions with SHAs are upgraded, although I doubt it will affect anything here.

[tyrann0us]

Hi @jeffwidman, thanks for getting back to me. I just manually ran the Dependabot check, but it still didn't detect updates for ramsey/composer-install. Here's the log:

[…]
updater | time="2022-08-25T07:09:12Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=445956888 updater_timeout=45m0s updater_version=0.211.0-e840d98a92564b79bbc00560d45866cf26b509b8
[…]
updater | INFO <job_445956888> Checking if ramsey/composer-install 1 needs updating
  proxy | 2022/08/25 07:09:21 [034] GET https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
  proxy | 2022/08/25 07:09:21 [034] * authenticating git server request (host: github.com)
  proxy | 2022/08/25 07:09:21 [034] 200 https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
updater | INFO <job_445956888> Latest version is 994bb194a4fefcf39449ccf0f7766a4318f1ac76
  proxy | 2022/08/25 07:09:21 [036] GET https://github.com:443/actions/cache.git/info/refs?service=git-upload-pack
  proxy | 2022/08/25 07:09:21 [036] * authenticating git server request (host: github.com)
updater | INFO <job_445956888> No update needed for ramsey/composer-install 1
[…]

The first included entry shows Dependabot version (v0.211.0). However, #5516 has been released in v0.209.0 already.

[jeffwidman]

Copying what @pavera discovered and posted to an internal channel:

If the action's repo has branch names that match release tag names, we will prefer the branch over the tag, and effectively pin the version to the branch. It seems a good number of actions projects follow this development pattern. Right now the best work around is to use a more specific version tag in the workflow IE v7.4 instead of v7 in this specific case.

Either way, we'll need to make a judgement call on whether to prefer branch or tag... I'd personally lean toward tag over branch as the expected behavior, but curious what others think...

[deivid-rodriguez]

I think, since with #5576 we will be actually cloning the repo, we should be able to figure this out unambiguously?

[pavera]

Possibly, though I don't know that ambiguity is the issue in this case, more a problem of currently defined behavior.

Currently given a repo custom-action with branches v1, v2, v3 and tags v1, v1.1, v2, v2.1, v2.2, v3, v3.1 and a workflow that specifies custom-action@v2 Dependabot currently finds the branch v2 (from the @v2 tag) and will only update to head of that branch, so the latest version you'll ever get is v2.2.

The above behavior is what I meant by "prefers the branch". We would need to change this behavior to always use tags if we want to have Dependabot update from v2 -> v3. I started work on this change but based on internal discussion we weren't sure how many people were depending on the current behavior to prevent unwanted major version upgrades, so I paused my efforts.

[deivid-rodriguez]

Thanks for the input @pavera!

I checked and at first sight it seems exactly what's happening here, and none of the linked PRs fixes the issue as you suspected.

I think this should be fixed, to be honest. I think major updates are ignorable through configuration anyways?

[jeffwidman]

On second thought, I agree with you here @deivid-rodriguez. The only other ecosystems that I'm aware of where we don't auto-bump to the next major one is go and that's only because of technical limitations (go changes the import path within the code itself during a major version bump, this allows running multiple versions of a package at the same time if you want to do a rolling migration)... so it probably does make sense to treat this as a edge case bug rather than a product decision. In which case from an implementation perspective we should default to preferring tag over branch.

[tyrann0us]

Hi @jeffwidman, @deivid-rodriguez,
with #5576 merged, I ran the check again.

updater | time="2022-09-13T10:37:59Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=457943659 updater_timeout=45m0s updater_version=8b7894be54c6b357e90d1be860cf1bbfbe3d4ea5

The Dependabot version seems to be newer than v0.212.0 where #5576 landed in: 8b7894b. Still, I get the same result:

updater | INFO <job_457943659> No update needed for ramsey/composer-install 1

[deivid-rodriguez]

Yep yep, that matches our previous conclusion: this issue is different and needs a separate fix. Thanks for confirming 👍.

[deivid-rodriguez]

I'm pretty sure this was actually fixed by #5918. I had forgotten about this issue and opened that in response to a different report 😅.

So I'm closing this as fixed, but if I'm wrong please feel free to reopen!

[jwillemsen]

Rerun dependabot on https://github.com/DOCGroup/MPC/blob/master/.github/workflows/windows.yml but run-vcpkg is not detected as to be updated

[deivid-rodriguez]

Then I was indeed wrong, thanks for verifying and providing a public repo that we can use to reproduce this!

[tyrann0us]

Can confirm that #5918 still does not detect newer versions of ramsey/composer-install in https://github.com/inpsyde/reusable-workflows/blob/main/.github/workflows/tests-unit-php.yml and other workflow files in this repo.
Let's wait for #5963 then. 🙂

[deivid-rodriguez]

#5963 is now ready, so this should get fixed soon 👍.

[tyrann0us]

Yes, I can confirm it finally works! 🎉

[…]
updater | time="2022-11-17T12:33:51Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=515777060 updater_timeout=45m0s updater_version=e320eddfbb9c71d4788279231be43846c48383a0
[…]
updater | INFO <job_515777060> Checking if ramsey/composer-install 1 needs updating
  proxy | 2022/11/17 12:34:12 [046] GET https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
  proxy | 2022/11/17 12:34:12 [046] * authenticating git server request (host: github.com)
  proxy | 2022/11/17 12:34:12 [046] 200 https://github.com:443/ramsey/composer-install.git/info/refs?service=git-upload-pack
updater | INFO <job_515777060> Latest version is 2
updater | INFO <job_515777060> Requirements to unlock own
updater | INFO <job_515777060> Requirements update strategy 
updater | INFO <job_515777060> Updating ramsey/composer-install from 1 to 2
[…]
updater | INFO <job_515777060> Submitting ramsey/composer-install pull request for creation

Thanks!

[deivid-rodriguez]

Great, thanks for your patience :)