Actions used from composite actions are not bumped by dependabot #6704
Comments
|
Yeah, I can reproduce this. Currently the only way to update composite actions is to configure the directory containing the But even if not explicitly configured, we should also parse any local actions referenced by any parsed workflow files, so that you can get all updates for a specific dependency together like you expected. |
|
@deivid-rodriguez thanks! when you say to configure the directory with the |
|
Yes, that's what I mean. |
Required until dependabot/dependabot-core#6704 is fixed
Required until dependabot/dependabot-core#6704 is fixed
|
As I understand (I also bumped into this problem), there's no "standard directory" for defining internal actions (I don't think I also have a similar issue with a private GitHub repo hosting multiple actions at e.g.: With that repository and dependabot configured with But currently instead what happens is that dependabot will only search for updates within Realistically I don't think dependabot will ever sweep the whole repo for valid GH Actions files, but instead I expect one of these issues being fixed (so we can have simplify our dependabot config when it has multiple directories with the same ecosystem): #2178 #1582 |
|
I believe it's correct that there's no standard directory for internal actions, however, nonetheless they could be discovered by recursively following local |
|
I can label as a feature request, probably a better fit! My intention to support this was to do what @alex suggests, since that's what we already do in similar situations. |
deivid-rodriguez
added
T: feature-request
dependabot/dependabot-core#6704 PiperOrigin-RevId: 595066288 Change-Id: I41ed288918a55c3b9c2ebc901ab201db5781a072
dependabot/dependabot-core#6704 PiperOrigin-RevId: 595066288 Change-Id: I8a721aba6b163875b1bb2bd227f589d59a4567a2
|
Hi! Can you try using multi-directory support and grouping rules? That should work to update composite actions. cc @abdulapopoola |
|
Thanks! pyca/cryptography#10921 this definitely makes it less verbose. Once there are wildcards we'll be able to do |
@deivid-rodriguez Can you provide an example configuration for an action located at |
|
I no longer maintain this repo, but you can see a few linked commit and PRs with the current workaround. |
|
@carlincherry, are you able to give an example of how the multi-directory would look here? Would it be the below? version: 2
updates:
- package-ecosystem: "github-actions"
directories:
- "/"
- "/.github/actions/*/action.yaml"
schedule:
interval: "daily"There isn't a standard, but like many users we use I'm concerned that Dependabot may still be looking for a |
Dependabot completely ignored composite actions since they doesn't follow the conventional directory structure for storing .yml files. As a workaround, we have to explicitly instruct Dependabot to scan the directory with .yml files. Ref: dependabot/dependabot-core#6704 Signed-off-by: iusmac <[email protected]>
and others
Is there an existing issue for this?
Package ecosystem
github actions
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
Updated dependency
actions/cacheWhat you expected to see, versus what you actually saw
I expect https://github.com/pyca/cryptography/blob/main/.github/actions/cache/action.yml#L33 to be upgraded by pyca/cryptography#8365, but it's not.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: