Release notes link is wrong for keptn/keptn check-spelling/[email protected]

[jsoref]

Package ecosystem GitHub Actions

Package manager version

Language version

Manifest location and content prior to update https://github.com/keptn/keptn/blob/f01ee895f71e9055e9acc4df755d608d50e5b854~/.github/workflows/spelling.yml

name: Spell checking
on:
  push:
    branches:
      - "**"
    tags-ignore:
      - "**"
  pull_request_target:
    branches:
      - "**"
    tags-ignore:
      - "**"
    types: ['opened', 'reopened', 'synchronize']

jobs:
  build:
    name: Spell checking
    runs-on: ubuntu-20.04
    steps:
    - name: checkout-merge
      if: "contains(github.event_name, 'pull_request')"
      uses: actions/[email protected]
      with:
        ref: refs/pull/${{github.event.pull_request.number}}/merge
        fetch-depth: 5
    - name: checkout
      if: "!contains(github.event_name, 'pull_request')"
      uses: actions/[email protected]
      with:
        fetch-depth: 5
    - uses: check-spelling/[email protected]

https://github.com/keptn/keptn/blob/7a109e76f3fda63cede48cceda6eea65942b2a02/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: github-actions
    directory: "/"
    schedule:
      interval: daily
    open-pull-requests-limit: 5
    rebase-strategy: "disabled"

Updated dependency

Bumps [check-spelling/check-spelling](https://github.com/check-spelling/check-spelling) from 0.0.17-alpha to v0.0.18.

What you expected to see, versus what you actually saw

commit f01ee895f71e9055e9acc4df755d608d50e5b854
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon May 3 08:49:51 2021 +0000

    Bump check-spelling/check-spelling from 0.0.17-alpha to v0.0.18
    
    Bumps [check-spelling/check-spelling](https://github.com/check-spelling/check-spelling) from 0.0.17-alpha to v0.0.18.
    - [Release notes](https://github.com/check-spelling/check-spelling/releases)
    - [Commits](https://github.com/check-spelling/check-spelling/compare/0.0.17-alpha...08f08a6ff6b9ebae06cb8fe463374a8a5a37e03c)

The release notes link should have been to: https://github.com/check-spelling/check-spelling/releases/tag/v0.0.18

Native package manager behavior

N/A Images of the diff or a link to the PR, issue or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

n.b. I don't understand why this PR was made in the first place as noted in https://github.com/keptn/keptn/pull/3930#issuecomment-831226270 -- the tag is for a pre-release, and I wouldn't expect dependabot to offer pre-releases.

[jsoref]

This code doesn't seem to care about releases: https://github.com/dependabot/dependabot-core/blob/c3c87bb90042cf5b3d3af50d42b0e83fe3267041/github_actions/lib/dependabot/github_actions/update_checker.rb#L54-L71

Compare: https://github.com/dependabot/dependabot-core/blob/b1f81765c32de788182ae204c802c3c83e081efd/cargo/lib/dependabot/cargo/update_checker/latest_version_finder.rb#L34-L39 https://github.com/dependabot/dependabot-core/blob/b1f81765c32de788182ae204c802c3c83e081efd/cargo/lib/dependabot/cargo/update_checker/latest_version_finder.rb#L50-L54

I think that if dependabot first checked to see if there were releases, and if there were, used those, and failing that looked for git tags, I'd be much happier.

[deivid-rodriguez]

Had a quick look at this. Release notes link is now correctly, but we have actually regressed here with recent update logic fixes, because 0.0.17-alpha is not considered the same precision as 0.0.20 (latest version).

A fix for that could be something like

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
index 736427633..f808503c4 100644
--- a/common/lib/dependabot/git_commit_checker.rb
+++ b/common/lib/dependabot/git_commit_checker.rb
@@ -184,7 +184,7 @@ module Dependabot
     end
 
     def precision(version)
-      version.split(".").length
+      [version.split(".").length, 3].min
     end
 
     def most_specific_version_tag_for_sha(commit_sha)

I also observed (after applying that change), that the PR still has weird wording:

--commit--
Bump check-spelling/check-spelling from 0.0.17.pre.alpha to 0.0.20

Bumps [check-spelling/check-spelling](https://github.com/check-spelling/check-spelling) from 0.0.17.pre.alpha to 0.0.20.
- [Release notes](https://github.com/check-spelling/check-spelling/releases)
- [Commits](https://github.com/check-spelling/check-spelling/compare/0.0.17-alpha...v0.0.20)
--/commit--

It should read 0.0.17-alpha instead. The problem is due to some internal transformation Gem::Version does on prerelease versions with dashes.

So at least two issues here that should be addressed, although not related to the issue reported originally, which seems fine now.

[jsoref]

Technically you've also lost a v.

I only added the v sometime after 17 when it seemed that dependabot insisted on them, so it's only present in the "to" side.

[deivid-rodriguez]

Yeah, dependabot currently shows only the "numeric version" here, I guess we could switch the message to what originally specified in the workflow.