Enable dependabot automatic updates #630
Conversation
| BRANCH: '${{ github.head_ref }}' | ||
| run: | | ||
| git fetch | ||
| git checkout $BRANCH |
There was a problem hiding this comment.
I'm surprised this works. I thought you'd have to add fetch-depth: 0 to the actions/checkout call, otherwise it makes a shallow checkout.
There was a problem hiding this comment.
This works and was previously necessary when I had just git push because unlike the actions/checkout call which checks out a detached HEAD the above actually checks out the branch and lets us push to it. Now that we've specified the branch in push I think we could use actions/checkout but I think leaving this is also okay (and might avoid someone confusion in the future about why just push doesn't work if they ever change it back).
| run: | | ||
| git fetch | ||
| git checkout $BRANCH | ||
| sudo npm install --force -g npm@latest |
There was a problem hiding this comment.
Just an open question of is using latest better than using what's on the actions VMs. They come with something pretty modern anyway, and it may be more stable than going with the latest. Although I assume this is still the latest released version and not true bleeding edge, so it's probably fine either way.
Whatever we do here, it should match the NPM version used in https://github.com/github/codeql-action/blob/main/.github/workflows/pr-checks.yml
There was a problem hiding this comment.
This was actually unfortunately necessary because the version in the Actions VM is old enough that it uses v1 of the lockfile and cannot do npm install correctly with the v2 lockfile that is checked in. This isn't necessary for the PR checks there because they do not actually do npm install and the other npm commands are forwards-compatible with the new lockfiles, but I agree for consistency we should probably use the same version there - I will update this. Indeed @latest is the latest stable release rather than the bleeding edge pre-release version which is @next.
edoardopirovano
force-pushed
the
enable-dependabot
branch
from
59d75eb to
6b12388
Compare
edoardopirovano
added
the
Update dependencies
edoardopirovano
force-pushed
the
enable-dependabot
branch
from
6b12388 to
934fb86
Compare
|
I'm a little surprised the workflow didn't run on this PR since I added the Update dependencies label. Any ideas why it wouldn't be working @robertbrignull? Does the |
Quite likely. The idea is that it runs the version of the workflow from the base branch to avoid the PR being able to change the workflow. |
Makes sense. Guess we can't test the updated workflow then, but since it hasn't changed too much from my first commit I'm sure it will be okay. |
Probably the best way would be to push another branch with a slightly altered workflow that does run on PRs, or test it in a totally separate respository. Both of those options can be a bit of effort though. There's not too much risk here as the worst that can happen is that the workflow just doesn't work. |
Given the low risk, I suggest we just wait and see if it works on Thursday. I tested my original commit and not that much has changed since it. Plus, testing it as you suggest while useful still wouldn't test some of the specifics of what happens when Dependabot opens the PR rather than me. |
Closes https://github.com/github/codeql-coreql-team/issues/1344
This adds a new workflow (triggered by a label) that updates the checked-in dependencies on a PR branch. It also enables Dependabot and has it apply the relevant label to have the checked-in dependencies updated. Unfortunately, the workflow will not work on forks due to missing the permissions to push to other user's forks, so we can't use it on our own PRs. It should work on Dependabot's PRs, though, since it creates its PRs from the main repo.