dependabot-core
dependabot-core copied to clipboard
dependabot
Dependabot does not support github-actions/reusable-workflows dependencies from monorepo
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
github-actions, reusable-workflows
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
I have and example with two reusable workflows storing in the same repository. We use the name and version git tagging pattern to refer to a specific version of a single package: for example, path-to-workflow1@workflow1/v1.0.0 & path-to-workflow2@workflow2/v2.0.0. We refer these reusable workflows in the two separate workflows in the another repository.
You can find the workflow examples below that reference reusable workflows.
- https://github.com/alekspog/reusable-workflows-examples/blob/main/.github/workflows/echo.yml
name: echo 1
on:
workflow_dispatch:
jobs:
run-tests:
uses: alekspog/reusable-workflows-examples/.github/workflows/echo.yml@echo/v1.0.0
with:
text: 1
- https://github.com/alekspog/test-reusable-workflows/blob/main/.github/workflows/summary.yml
name: Echo text to job summary
on:
workflow_dispatch:
jobs:
run-tests:
uses: alekspog/reusable-workflows-examples/.github/workflows/summary.yml@summary/v1.0.0
with:
text: 'my summary'
dependabot.yml content
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
time: "16:00"
Updated dependency
No response
What you expected to see, versus what you actually saw
- we already have
echo/v1.0.0andsummary/v1.0.0tags for echo and summary reusable workflows - we updated the
summaryreusable workflow and createdsummary/v2.0.0tag for it https://github.com/alekspog/reusable-workflows-examples/releases/tag/summary%2Fv2.0.0
Expected result
Dependabot resolves version for summary workflow to summary/v2.0.0
Actual result
Dependabot resolves version for summary workflow to echo/v1.0.0.
Every time I update the tag with summary prefix, the dependabot still finds only v1.0.0. I see in the dependabot logs for every run: Latest version is 1.0.0. It seems that dependabot also respects the alphabetical order of the tags and takes the latest semver tag from the tag which is first from the top of alphabetically sorted list of tags.
Other observations:
- We see the same behaviour for our github-actions that are stored in the monorepo.
- We see that the dependabot resolves properly versions for terraform packages storing in monorepo using the same name and version git tagging pattern to refer to a specific version of a single package. It looks like that a specific way of resolving such tags for the specific
github-actionsdependabot package. It could be done the same way as forterraformdependabot package to solve the issue.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
https://github.com/alekspog/test-reusable-workflows/pull/1/files
Smallest manifest that reproduces the issue
There are reusable workflows for this example.
https://github.com/alekspog/reusable-workflows-examples/blob/main/.github/workflows/echo.yml
name: 'Echo text to stdout'
on:
workflow_call:
inputs:
text:
required: true
type: string
default: hello
jobs:
echo-text:
name: Echo text to stdout
runs-on: ubuntu-latest
steps:
- name: Echo text to stdout
run: echo ${{ inputs.text }}
https://github.com/alekspog/reusable-workflows-examples/blob/main/.github/workflows/summary.yml
name: 'Print text to job summary'
on:
workflow_call:
inputs:
text:
required: true
type: string
default: hello
jobs:
echo-text:
name: Echo text to summary
runs-on: ubuntu-latest
steps:
- name: Output text to summary
run: echo ${{ inputs.text }} >> $GITHUB_STEP_SUMMARY
Same thing here, we have a monorepo with ~15 different reusable actions. When an update is made, all the calls to that monorepos actions are being updated to a single action (I guess the latest semver tag from the tag which is first from the top of alphabetically sorted list of tags cf @alekspog)
Diff from dependabot commit:
id: docker_check_tag
- uses: xxx/lex-github-actions/docker-check-tag@docker-check-tag/v0.1.0
+ uses: xxx/lex-github-actions/docker-check-tag@checkmarx/v0.2.0
with:
imageTag: ${{ steps.github_sha.outputs.id }}
imageURL: ${{ steps.image.outputs.url }}
@@ -96,7 +96,7 @@ jobs:
steps.docker_check_tag.outputs.isNewTag == 'true'
name: 🛠 Build Image(s)
id: docker_build
- uses: xxx/lex-github-actions/docker-build@docker-build/v0.2.0
+ uses: xxx/lex-github-actions/docker-build@checkmarx/v0.2.0
with:
dir: ${{ matrix.dir }}
imageTag: ${{ steps.github_sha.outputs.id }}
@@ -105,7 +105,7 @@ jobs:
- if: |
steps.docker_check_tag.outputs.isNewTag == 'true'
name: 📁 Push Image(s)
- uses: xxx/lex-github-actions/docker-push@docker-push/v0.10.0
+ uses: xxx/lex-github-actions/docker-push@checkmarx/v0.2.0
with:
imageName: ${{ matrix.app }}
imageTag: ${{ steps.github_sha.outputs.id }}
@@ -140,7 +140,7 @@ jobs:
- self-hosted
- lex
steps:
- - uses: xxx/lex-github-actions/slack-notify@slack-notify/v0.1.0
+ - uses: xxx/lex-github-actions/slack-notify@checkmarx/v0.2.0
with:
channelName: maestro-notifs
failure: true
@@ -158,7 +158,7 @@ jobs:
id-token: 'write'
steps:
- name: 🚀 Deploy on pr DEV
- uses: xxx/lex-github-actions/x-deploy-onpr@x-deploy-onpr/v2.0.2
+ uses: xxx/lex-github-actions/x-deploy-onpr@checkmarx/v0.2.0
with:
base: "apps/loanmanage"
deployment_names: "loanmanage"
@@ -170,7 +170,7 @@ jobs:
version: ${{ needs.build.outputs.id }}```
