dependabot
Dependabot for github actions considering closed PR's in existing-pull-requests list
Is there an existing issue for this?
- [X] I have searched the existing issues
Package ecosystem
github_actions
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
.github/workflows/on_pr_to_develop_test.yml
dependabot.yml content
---
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
Updated dependency
actions/checkout
What you expected to see, versus what you actually saw
I'm expecting uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 to be bumped to a current actions/checkout, with the hash and version comment updated.
No updates were made.
The dependabot log shows that it found many existing PRs.
'existing-pull-requests': [[{'dependency-name': 'actions/download-artifact',
'dependency-version': '4'}],
[{'dependency-name': 'actions/upload-artifact',
'dependency-version': '4'}],
[{'dependency-name': 'tj-actions/changed-files',
'dependency-version': '42'}],
[{'dependency-name': 'super-linter/super-linter',
'dependency-version': '6.0.0'}],
[{'dependency-name': 'super-linter/super-linter',
'dependency-version': '6.1.1'}],
[{'dependency-name': 'super-linter/super-linter',
'dependency-version': '6.2.0'}],
[{'dependency-name': 'super-linter/super-linter',
'dependency-version': '6.3.0'}],
[{'dependency-name': 'oxsecurity/megalinter',
'dependency-version': '7.10.0'}],
[{'dependency-name': 'oxsecurity/megalinter',
'dependency-version': '7.11.1'}],
[{'dependency-name': 'aquasecurity/trivy-action',
'dependency-version': '0.20.0'}]],
All but the first 2 have been closed by dependabot instead of merged - because a newer dependancy popped up, or because a commit was made removing the dependancy.
I suspect that this means it has too many existing PR's to
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
---
on:
pull_request
jobs:
just_checkout:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # v4.0.0
We are dealing with this issue too - we are trying to add grouping for security updates only - which has already been a painful process. However, currently no PRs get made, maybe (?) because it considers all PRs we closed in the past (not merged) as "existing PRs" in the job definition, so it doesn't attempt to create a new grouped PR to fix the vulnerabilities that were previously in individual PRs.
Re-naming the dependency group may be a valid workaround - it worked for my repo where there was stale data in "existing group pull requests".
I have the same issue with Nuget-dependencies for several repos in our GH org. "existing-pull-requests" in the Dependabot logs contains what looks like dependencies that had Dependabot PRs that were closed by Dependabot itself due to being superseded by other Dependabot PRs. etc.
Anyone found a work-around for this? I have tried upping the allowed-open-pull-requests option in dependabot.yml from 10 to a 100 with no effect. There are less than a 100 of those closed/stale Dependabot PRs listed in the logs so would have expected this to bypass the problem...
It looks like this started failing at the same time for several repos so suspect DependaBot introduced a change in behavour (bug?) at that time. Last time DependaBot worked on any of these repos was May 5th. It works fine with a fresh repo with no existing PRs.
@dannystaple, can you please provide the logs or the job id of the dependabot run that fails to create the PRs? You can find them under the Actions tab:
