Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation for GitHub Actions #1461

Closed
smorimoto opened this issue Oct 23, 2019 · 31 comments
Closed

Update documentation for GitHub Actions #1461

smorimoto opened this issue Oct 23, 2019 · 31 comments
Labels
T: feature-request Requests for new features

Comments

@smorimoto
Copy link

This page seems to be missing information about github_actions.

https://dependabot.com/docs/config-file

@feelepxyz
Copy link
Contributor

@imbsky thanks for raising this, we've currently disabled actions support due to a bug that prevented Apps from modifying the workflow file, but might be able to re-enable now that it's fixed.

@smorimoto
Copy link
Author

Oh, I see!

@smorimoto smorimoto reopened this Oct 28, 2019
@smorimoto
Copy link
Author

@feelepxyz When re-enable actions support, could you please update documentation and close this issue?

@feelepxyz
Copy link
Contributor

@imbsky it's still a work in progress so not won't create any PRs yet. Hopefully we'll get this wrapped up in the next month or so.

@feelepxyz feelepxyz added the T: feature-request Requests for new features label Oct 29, 2019
@smorimoto
Copy link
Author

Great!

@smorimoto smorimoto changed the title Update config file docs Update documentation for GitHub Actions Dec 24, 2019
@smorimoto
Copy link
Author

Is this still disabled?

@feelepxyz
Copy link
Contributor

@imbsky yeah sadly! There's new app permission that needs to be added which hasn't been prioritised yet. Waiting for an update on it.

@smorimoto
Copy link
Author

Okay, I'll wait.

@smorimoto
Copy link
Author

Any updates?

@feelepxyz
Copy link
Contributor

@imbsky I'm chasing internally. Still need the new app permission to be deployed.

@smorimoto
Copy link
Author

@feelepxyz I'm both an Actions user and an outside contributor who has made some improvements, if Actions is supported by Dependabot, I don't have to manually create a lot of PR, so could you to enable it as soon as possible? I don't want to bother you, but please.

@feelepxyz
Copy link
Contributor

We're waiting on an internal change to actions allowing any app to edit workflow files. It's not specific to Dependabot.

@smorimoto
Copy link
Author

Oh, I see. That sounds to take some time.

@LeoColomb
Copy link
Contributor

LeoColomb commented Apr 7, 2020

🎉 https://github.blog/changelog/2020-04-07-github-apps-workflow-permission/

@peaceiris
Copy link

peaceiris commented Apr 7, 2020

@staticdev
Copy link

It seems like something is still wrong. I have github_actions enabled, but it is not creating pull requests yet. I see in dependabot logs that it finds newer versions for actions though.

@smorimoto
Copy link
Author

This is not yet enabled. So nothing is wrong, but I hope it will be enabled asap.

@feelepxyz
Copy link
Contributor

We've just launched a beta of Dependabot natively integrated into GitHub that supports updating Actiosn workflow files: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

Config file docs: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

FYI - the new version currently doesn't support private git dependencies. We're working on adding this over the next few months.

@peaceiris
Copy link

peaceiris commented Jun 3, 2020

It works! Great 🎉

peaceiris/actions-gh-pages#334

Screen Shot 2020-06-03 at 21 50 56

I will leave my feedback. (I do not know whether here is the right place for feedback or not.)

Please detect pre-release and do not bump it

The actions/[email protected] is a beta version (pre-release). We need a useful filter for not bumping it.

open-pull-requests-limit does not work

I set open-pull-requests-limit: 1 like the following but the dependabot has opened the two pull-requests at the same time.

- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "daily"
  open-pull-requests-limit: 1
  labels:
  - "dependencies:ci"
  commit-message:
    prefix: ci

https://github.com/peaceiris/actions-gh-pages/blob/65dc7af0847a52d3e8dfa56f3f64dcb0acf6032f/.github/dependabot.yml#L28

@staticdev
Copy link

staticdev commented Jun 3, 2020

@feelepxyz I don't see Security & analysis tab on Settings from repositories I own and have dependabot-preview (as mentioned in @infin8x post https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/):

image

@feelepxyz
Copy link
Contributor

@peaceiris nice one, will take a look at the open pull request limit not being honoured.

Please detect pre-release and do not bump it

Yep, it's on our list of improvements. Will see what metadata we can get from tags.

@staticdev ah yes this page hasn't been fully rolled out yet. You can enable it from the Security tab on the repository under Dependabot alerts > Dependabot Security Updates.

@staticdev
Copy link

staticdev commented Jun 3, 2020

@feelepxyz I've enabled Security Updates in 3 public repos of mine, then I entered dependabot.com and selected Update config file and it didn't work. When I click it again I see the message: Something went wrong when creating your Pull Request. Try again or contact support.. None of them worked.

@feelepxyz
Copy link
Contributor

@staticdev thanks for reporting, looks like we've tried to generate an invalid config file. Will take a look at fixing this tomorrow 👌

@staticdev
Copy link

staticdev commented Jun 3, 2020

@feelepxyz if you want the repos to check:

I also saw in the post that the file location (.github/dependabot.yml) is different from the path I've been using with dependabot-preview (.dependabot/config.yml).

@jurre
Copy link
Member

jurre commented Jun 4, 2020

Thanks for reporting this @staticdev, we've fixed some issues and I think you should be able to upgrade now, could you try again?

@staticdev
Copy link

@jurre Good news! Dependabot could now create the pull requests, and changed the name/path of dependabot config file.

One strange thing I noticed is that, all of the repositories I tested gave me this warning:
"You're using unsupported features

The new version does not yet support private git dependencies. If you use these we recommend leaving Dependabot Preview active."

I am curious to know what unsupported features since I am not using private repositories...

@jurre
Copy link
Member

jurre commented Jun 4, 2020

You should be all good in that case 👍 we can't detect if the git dependencies you're using are private or not, so if you're using any git dependencies we show that warning. I'll think about the wording if we can make that more clear

@staticdev
Copy link

staticdev commented Jun 21, 2020

@feelepxyz I have 3 other questions regarding this new config, maybe you could help me out:

  • Can the open-pull-requests-limit setting be omitted, to go with the default?
  • Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
  • Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Thanks again.

@feelepxyz
Copy link
Contributor

  • Can the open-pull-requests-limit setting be omitted, to go with the default?

Yup, the default is 5

Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.

This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Yup, this is broken with the updated and we're tracking this here: https://github.com/dependabot/feedback/issues/968

@staticdev
Copy link

  • Can the open-pull-requests-limit setting be omitted, to go with the default?

Yup, the default is 5

Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.

This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Yup, this is broken with the updated and we're tracking this here: dependabot/feedback#968

Thanks again!!

@infin8x
Copy link
Contributor

infin8x commented Jul 20, 2020

Closing this as the original issue (lack of github_actions documentation) is fixed: https://help.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot

@infin8x infin8x closed this as completed Jul 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: feature-request Requests for new features
Projects
None yet
Development

No branches or pull requests

7 participants