Dependabot fails to identify latest tag from dependency after default branch changed

[yubiuser]

Package ecosystem
github-actions
dependabot.yml content

version: 2
updates:
- package-ecosystem: github-actions
  directory: "/"
  schedule:
    interval: weekly
    day: saturday
    time: "10:00"
  open-pull-requests-limit: 10
  target-branch: development

Updated dependency
uses: actions/[email protected]

What you expected to see, versus what you actually saw
Expect new PR for actions/[email protected]
Observed: No update needed

Log:

updater | INFO <job_428051179> Checking if actions/checkout 3.0.0 needs updating
  proxy | 2022/07/26 08:08:48 [028] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/07/26 08:08:48 [028] * authenticating git server request (host: github.com)
  proxy | 2022/07/26 08:08:48 [028] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_428051179> Latest version is 61b9e3751b92087fd0b06925ba6dd6314e06f089
updater | INFO <job_428051179> No update needed for actions/checkout 3.0.0

I'm using dependabot to update github-actions. One of those is https://github.com/actions/checkout. When specifying an "old" tag (v3.0.0) I expect dependabot to open a PR for the latest v3 versio (v3.0.2). See here for tags: https://github.com/actions/checkout/tags.

However, dependabot is referencing an "old" commit as latest version. This commit is the latest in their master branch (https://github.com/actions/checkout/commits/master), but they have changed to main as their default branch (https://github.com/actions/checkout/commits/main).

[jeffwidman]

Are you pinning to a tag or a SHA of the tag? Because #5516 may have fixed this. Can you check?

[yubiuser]

We are pining by tag. #5516 was merged 14 days ago, so I guess every dependabot run afterwards includes the new logic already, or?
This log is from 5 days ago, it did not work.

updater | INFO <job_442952051> Checking if actions/checkout 3.0.0 needs updating
  proxy | 2022/08/20 10:17:47 [034] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/08/20 10:17:47 [034] * authenticating git server request (host: github.com)
  proxy | 2022/08/20 10:17:47 [034] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_442952051> Latest version is 61b9e3751b92087fd0b06925ba6dd6314e06f089
updater | INFO <job_442952051> No update needed for actions/checkout 3.0.0

[deivid-rodriguez]

@yubiuser Can you check again? I think #6052 should've fixed this.

[yubiuser]

It's actually hard to tell. I've a private test repo with multiple workflows using actions/checkout at various different outdated versions. Dependabot created a PR already 1 month ago to update all of the actions to the latest version (3.1.0).

However, when I manually trigger a dependabot check I still get this output

updater | INFO <job_513159305> Checking if actions/checkout 3.0.0 needs updating
  proxy | 2022/11/15 20:52:32 [030] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/11/15 20:52:32 [030] * authenticating git server request (host: github.com)
  proxy | 2022/11/15 20:52:32 [030] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_513159305> Latest version is 61b9e3751b92087fd0b06925ba6dd6314e06f089
updater | INFO <job_513159305> No update needed for actions/checkout 3.0.0

[deivid-rodriguez]

I that may be because of #3750?

[yubiuser]

I think this are two distinct issues. The one you linked happens when multiple instances with different versions are used and dependabot did not check for updates for the lower/lowest version.
However, in my case it's simply returning a false Latest version (it's not even the same reference style - I use tags, it's returning a hash). 61b9e3751b92087fd0b06925ba6dd6314e06f089 is from 2020, whereas v3.0.0. is from 2022. So it's not only Latest version is not the latest, it's also older than the currently used action.

[deivid-rodriguez]

Oh, ok, I misunderstood that you were actually using actions/checkout in multiple workflows with different outdated versions.

Can you try creating a public repository with the same checkout usages so that I can reproduce this?

[yubiuser]

I setup a new test repo (https://github.com/yubiuser/dependabot_test) and there everything is working as expected. I have no idea why it is not working in the other....

updater | INFO <job_515551321> Checking if actions/checkout 3.0.0 needs updating
  proxy | 2022/11/17 09:59:24 [012] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/11/17 09:59:24 [012] * authenticating git server request (host: github.com)
  proxy | 2022/11/17 09:59:27 [012] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_515551321> Latest version is 3.1.0

[deivid-rodriguez]

Yeah referencing commits of an incorrect branch should've really been fixed by #6052. However, your sample repo does not pin by sha, right? And you mentioned previously that the problem was pinning by SHA?

[yubiuser]

However, your sample repo does not pin by sha, right? And you mentioned previously that the problem was pinning by SHA?

No, we always pin by tag. But as you can see here, it's returning SHA:

updater | INFO <job_513159305> Latest version is 61b9e3751b92087fd0b06925ba6dd6314e06f089

[deivid-rodriguez]

Sorry, misunderstood again! So you real repository is simply pinning actions/checkout to 3.0.0 in a single workflow, like in https://github.com/yubiuser/dependabot_test/blob/master/.github/workflows/test_workflow.yml#L11? This is such a simple case that should just work, I have no idea why it's not working for you.

[deivid-rodriguez]

Whatever it is, I just noticed that other cases that will be fixed by #5963 are also incorrectly returning a SHA as the current version and not being able to update certain actions.

So I'm going to set #5963 to also close this issue, and will make sure to let you know when it's live so you can test again 👍.

[yubiuser]

Thanks for letting me know. I'll test again when #5963 is merged.

[deivid-rodriguez]

@yubiuser I just temporarily deployed #5963, can you try again now?

[yubiuser]

No avail.

updater | INFO <job_515759848> Checking if actions/checkout 3.0.0 needs updating
  proxy | 2022/11/17 12:16:32 [034] GET https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
  proxy | 2022/11/17 12:16:32 [034] * authenticating git server request (host: github.com)
  proxy | 2022/11/17 12:16:32 [034] 200 https://github.com:443/actions/checkout.git/info/refs?service=git-upload-pack
updater | INFO <job_515759848> Latest version is 61b9e3751b92087fd0b06925ba6dd6314e06f089
updater | INFO <job_515759848> No update needed for actions/checkout 3.0.0

[deivid-rodriguez]

That's too bad. And there are not other places in your configuration files that use actions/checkout, only the one that pins to 3.0.0?

[yubiuser]

No, there are others.

[deivid-rodriguez]

Ok, ok. Then again this looks like #3750. From all the actions, Dependabot is only considering the first one. And it can't propose any updates for the first one because it's pinned to a branch without any version requirement, makes sense?

[yubiuser]

I think you disentangled it!

[deivid-rodriguez]

Let me close this issue in favor of #3750 then. There's already an open PR for that ticket, so I expect to get that fixed soonish.