Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: update-type is sometimes null #4893

Open
vicary opened this issue Nov 20, 2021 · 15 comments
Open

bug: update-type is sometimes null #4893

vicary opened this issue Nov 20, 2021 · 15 comments
Labels
F: package-metadata The metadata that Dependabot fetched for the package F: pull-requests Issues about Dependabot pull requests T: bug 🐞 Something isn't working

Comments

@vicary
Copy link

vicary commented Nov 20, 2021

I want to auto-merge for minor and patch updates, but the update-type is always null.

You may see this job for the metadata output.

Am I doing it wrong?

@vicary
Copy link
Author

vicary commented Nov 22, 2021

Today dependabot created a new PR and update-type is available:

While the last one is not,

I didn't make any changes in the mean time, the only difference is that the last one is triggered by my commit, and the new one looks like it's triggered from the daily schedule.

Is this the intended behavior?

@vicary vicary changed the title bug: update-type is always null bug: update-type is sometimes null Nov 22, 2021
@emosbaugh
Copy link

I'm experiencing the same. Could it be that the commit message is being truncated?

Screen Shot 2021-12-02 at 2 43 20 PM

~ gh pr view --repo xxx 2079 --json commits
{
  "commits": [
    {
      "authoredDate": "2021-12-02T21:57:59Z",
      "authors": [
        {
          "email": "49699333+dependabot[bot]@users.noreply.github.com",
          "id": "MDM6Qm90NDk2OTkzMzM=",
          "login": "dependabot[bot]",
          "name": "dependabot[bot]"
        }
      ],
      "committedDate": "2021-12-02T21:57:59Z",
      "messageBody": "Bumps [debug](https://github.com/visionmedia/debug) from 2.2.0 to 2.6.9.\n- [Release notes](https://github.com/visionmedia/debug/releases)\n- [Changelog](https://github.com/visionmedia/debug/blob/2.6.9/CHANGELOG.md)\n- [Commits](https://github.com/visionmedia/debug/compare/2.2.0...2.6.9)\n\n---\nupdated-dependencies:\n- dependency-name: debug\n  dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \[email protected]\u003e",
      "messageHeadline": "Bump debug from 2.2.0 to 2.6.9 in /testgrid/web",
      "oid": "35a1dd15b01b435367be33fefc1bf4c812bd925d"
    }
  ]
}

@mwaddell
Copy link
Contributor

@emosbaugh - I don't think the comment is being truncated because it has the ending ...

I think that the code in dependabot-core is not adding the section correctly. However, in looking at the code in dependabot-core, I can't figure out where that data is actually added...

I would think that https://github.com/dependabot/dependabot-core/blob/9c4ab72abef38a9d1601b5fdb85943f3c4fba8bd/common/lib/dependabot/pull_request_creator/message_builder.rb#L53:L59 would be the spot that would add that, but I don't see it actually adding the --- through ... section. Does anyone know where that's being added to the commit message?

@agarcher
Copy link

agarcher commented Mar 2, 2022

For me this bug seems to be consistently reproducible when the commit was created from a @dependabot rebase. When the new commit is pushed (so on synchronize I guess), the github action will get update-type null and my actions that are looking for the semver will be skipped.

@mwaddell
Copy link
Contributor

mwaddell commented Mar 4, 2022

@agarcher I'm not able to replicate that in the npm_and_yarn ecosystem. Here's my commit prior to rebasing:

image

Here it is after doing @dependabot rebase:

image

They both contain the "update-type:" line that fetch-metadata uses.

Is there a particular ecosystem for which this is an issue?

@agarcher
Copy link

agarcher commented Mar 5, 2022

I'm seeing it for bundler ecosystem.

@mwaddell
Copy link
Contributor

mwaddell commented Mar 5, 2022

I'm not able to replicate that issue reliably, but I do see instances where update-type is missing for some reason. So, I just added pr dependabot/fetch-metadata#173 which allows fetch-metdata to calculate the update-type on-the-fly if it's missing for some reason.

@brrygrdn brrygrdn transferred this issue from dependabot/fetch-metadata Mar 22, 2022
@brrygrdn
Copy link
Contributor

I've transferred this issue in from https://github.com/dependabot/fetch-metadata/ as there is a workaround for the action but the bug is effectively that core doesn't populate this on commits sometimes so it isn't fully resolved by that PR

Workaround: dependabot/fetch-metadata#173

@vicary
Copy link
Author

vicary commented Mar 24, 2022

@brrygrdn Maybe related to the recent fix at dependabot/fetch-metadata#173, I kept my test repo open as a monitor for the progress of this issue.

In fact it had been auto-upgrading normally until today, please see vicary/test-dependabot#50.

outputs.update-type is null and it's never seen before it had been available if the bot opened the issue all by itself.

Text Screenshot
Run dependabot/[email protected]
  with:
    github-token: ***
Parsing Dependabot metadata
Outputting metadata for 1 updated dependency
  outputs.dependency-names: minimist
  outputs.dependency-type: indirect
  outputs.update-type: null

image

@mwaddell
Copy link
Contributor

@vicary Your job is still using [email protected] - the fix in dependabot/fetch-metadata#173 is only available in fetch-metadata@main right now.

You are correct that this bug (#4893) still exists in dependabot-core and it does inconsistently fill out the update-type property. dependabot/fetch-metadata#173 is a workaround for this open bug that calculates the update-type on the fly if it was not passed in the commit message from dependabot-core.

Please update your action to use fetch-metadata@main and see if that resolves your issue.

vicary added a commit to vicary/test-dependabot that referenced this issue Mar 24, 2022
@vicary
Copy link
Author

vicary commented Mar 25, 2022

@mwaddell Yes, it's now working even with @dependabot commands.

@jeffwidman
Copy link
Member

Is this only happening on PR rebases and not the initial commit of a PR?

If so, I wonder if the root cause is the same as described in #4652 (comment)?

@FlorianLeChat
Copy link

I started having this issue when I started using the grouped updates feature on some of my private repositories and on a public repository today.

Run dependabot/fetch-metadata@v1
  with:
    github-token: ***
    skip-commit-verification: false
    skip-verification: false
Parsing Dependabot metadata
Outputting metadata for [2](https://github.com/FlorianLeChat/Domego/actions/runs/6033966165/job/16371490114?pr=232#step:2:2) updated dependencies
  outputs.dependency-names: mongodb, mongoose
  outputs.dependency-type: direct:production
  outputs.update-type: null
  outputs.directory: /
  outputs.package-ecosystem: npm_and_yarn
  outputs.target-branch: master
  outputs.previous-version: 
  outputs.new-version: 
  outputs.compatibility-score: 0
  outputs.maintainer-changes: false
  outputs.dependency-group: 
  outputs.alert-state: 
  outputs.ghsa-id: 
  outputs.cvss: 0

@yhy-1
Copy link

yhy-1 commented Sep 28, 2023

I started having this issue when I started using the grouped updates feature on some of my private repositories and on a public repository today.

Run dependabot/fetch-metadata@v1
  with:
    github-token: ***
    skip-commit-verification: false
    skip-verification: false
Parsing Dependabot metadata
Outputting metadata for [2](https://github.com/FlorianLeChat/Domego/actions/runs/6033966165/job/16371490114?pr=232#step:2:2) updated dependencies
  outputs.dependency-names: mongodb, mongoose
  outputs.dependency-type: direct:production
  outputs.update-type: null
  outputs.directory: /
  outputs.package-ecosystem: npm_and_yarn
  outputs.target-branch: master
  outputs.previous-version: 
  outputs.new-version: 
  outputs.compatibility-score: 0
  outputs.maintainer-changes: false
  outputs.dependency-group: 
  outputs.alert-state: 
  outputs.ghsa-id: 
  outputs.cvss: 0

I am seeing the same issue, if Dependabot creates PR for multiple dependencies, it will return as null.

@mwaddell
Copy link
Contributor

@yhy-1 fetch-metadata pulls the update-type value from the commit message added by dependabot-core. If it's missing, it attempts to calculate it but does not currently support grouped updates. If this bug is fixed in dependabot-core so that the commit-message contains the update-type value, then fetch-metadata will use it.

image

VS

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
F: package-metadata The metadata that Dependabot fetched for the package F: pull-requests Issues about Dependabot pull requests T: bug 🐞 Something isn't working
Projects
None yet
Development

No branches or pull requests

8 participants