Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot does not bump actions referenced from composite actions #10135

Closed
chris48s opened this issue May 6, 2024 · 0 comments · Fixed by #10139
Closed

Dependabot does not bump actions referenced from composite actions #10135

chris48s opened this issue May 6, 2024 · 0 comments · Fixed by #10139
Labels
dependencies Related to dependency updates developer-experience Dev tooling, test framework, and CI

Comments

@chris48s
Copy link
Member

chris48s commented May 6, 2024

📋 Description

Raised by @LitoMore in #10127 (comment)

We have dependabot configured to upgrade actions we use:

shields/.github/dependabot.yml

Lines 30 to 36 in 1c9d3d5

# GH actions
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 99
rebase-strategy: disabled

While this does work for workflows, it is not bumping actions referenced in composite actions.

So for example, #9682 bumped

shields/.github/workflows/test-package-cli.yml

Line 27 in 1c9d3d5

uses: actions/setup-node@v4
but not

shields/.github/actions/setup/action.yml

Line 22 in 1c9d3d5

uses: actions/setup-node@v3

This is a reported issue upstream: dependabot/dependabot-core#6704

We have quite a lot of custom actions: https://github.com/badges/shields/tree/master/.github/actions

Task:

Read through that issue, amend our dependabot config to include actions referenced from composite actions, then review/merge any follow up PRs from dependabot.
@chris48s chris48s added developer-experience Dev tooling, test framework, and CI dependencies Related to dependency updates labels May 6, 2024
This was referenced May 6, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Related to dependency updates developer-experience Dev tooling, test framework, and CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

instruct dependabot to monitor composite actions chris48s/shields
1 participant
@chris48s