Add support to update action in GitHub Actions workflow

[vidavidorra]

What would you like Renovate to be able to do?
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I'd like to update actions in an GitHub Action workflow. In the example workflow (shortened) below the wagoid/commitlint-github-action can be updated to 1.6.0.

jobs:
  commitlint:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Lint commit messages
        uses: wagoid/[email protected]

Describe the solution you'd like

I'd like the github-actions manager to create updates for action in GitHub Actions workflow.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Current alternative is to also add a regex manager (source).

{
  ...
  regexManagers: [
    {
      fileMatch: ['^\\.github/workflows/[^/]+\\.ya?ml$'],
      matchStrings: ['uses: (?<depName>.*?)@(?<currentValue>.*?)\\s'],
      datasourceTemplate: 'github-tags',
    },
  ],
  ...
}

Additional context
Add any other context or screenshots about the feature request here.
See discussions in renovatebot/config-help#570 for this feature.

[ikesyo]

Good news https://github.blog/changelog/2020-04-07-github-apps-workflow-permission

[ikesyo]

@rarkins Could you add the new permission to the hosted GitHub App?

[rarkins]

@ikesyo can you first double check that our current github-actions manager is fully up to date with GitHub's latest syntax? I thought I'd wait until verifying that before asking for more permissions.

[ikesyo]

@rarkins Current github-actions manager partially supports the latest (YAML) syntax; only docker images

renovate/lib/manager/github-actions/extract.ts

Line 15 in 69fedcf

/^\s+uses: docker:\/\/([^"]+)\s*$/.exec(line);

. To update actions on GitHub repo (e.g. uses: actions/checkout@v2), we need to use regex manager or update github-actions manager.

[viceice]

@rarkins I think it's save to enable github-actions, we can update the manager later and use the regex manager for now.

@ikesyo Will you send a pr to update the github-actions manager?

[rarkins]

I've updated the app's permissions so that existing org admins will get a request to approve them. We need to make sure that we gracefully handle permission failures though.

• Today: The git push fails, which is problematic error
• Better: Ignore the workflows push fail, keep going
• Best: Enable/disable the github-actions manager based on whether we have permissions or not

[viceice]

ok, so currently users have to explicit enable the github-action manager for the app?

[rarkins]

Yes, until we're sure that we're handing the lack of permissions gracefully enough

[fabianbru]

Just for my understanding, with approved permission it should be possible to update action files with the regex manager?

I added the regex manager from above (slightly modified), but my run fails with "repository-changed".
Approved permissions: "Read and write access to actions, checks, commit statuses, issues, and pull requests"

Run ID: 194424030

regex manager config

  "regexManagers": [
    {
      "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"],
      "matchStrings": ["uses: (?<depName>.*?)@(?<currentValue>.*?)\\s"],
      "datasourceTemplate": "github-tags",
      "versioningTemplate": "regex:^v(?<major>\\d+)(\\.(?<minor>\\d+)(\\.(?<patch>\\d+))?)?$"
    }

regex updates found during run

"regex": [
      {
        "packageFile": ".github/workflows/default.yml",
        "manager": "regex",
        "deps": [
            {
            "depName": "actions/cache",
            "currentValue": "v1",
            "datasource": "github-tags",
            "versioning": "regex:^v(?\\d+)(\\.(?\\d+)(\\.(?\\d+))?)?$",
            "replaceString": "uses: actions/cache@v1\n",
            "depIndex": 2,
            "updates": [
              {
                "fromVersion": "v1",
                "toVersion": "v1.2.0",
                "newValue": "v1.2.0",
                "newMajor": 1,
                "newMinor": 2,
                "updateType": "minor",
                "isSingleVersion": true
              },
              {
                "fromVersion": "v1",
                "toVersion": "v2.0.0",
                "newValue": "v2.0.0",
                "newMajor": 2,
                "newMinor": 0,
                "updateType": "major",
                "isSingleVersion": true
              }
            ],
            "warnings": [],
            "sourceUrl": "https://github.com/actions/cache"
          }
...

run error during commiting files

DEBUG: Error commiting files(branch="renovate/actions-cache-1.x")
{
  "err": {
    "message": "To https://**redacted**@github.com/<USER>/<REPO>.git'\n",
    "stack": "Error: To https://**redacted**@github.com/<USER>/<REPO>.git'\n\n
    at toError (/home/ubuntu/renovateapp/node_modules/simple-git/promise.js:90:14)\n
    at /home/ubuntu/renovateapp/node_modules/simple-git/promise.js:61:36\n
    at Git. (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:937:21)\n
    at Function.Git.fail (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1475:18)\n
    at fail (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1433:20)\n
    at /home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1442:16\n
    at runMicrotasks ()\n
    at processTicksAndRejections (internal/process/task_queues.js:97:5)"
  }
}
DEBUG: Passing repository-changed error up(branch="renovate/actions-cache-1.x")
INFO: Repository has changed during renovation - aborting

Am I doing something wrong? 🤔

[rarkins]

Unfortunately GitHub still block apps if the Actions change is made via git instead of API.

[mrlubos]

@rarkins Is that so? I am new to this issue but quickly checked if Dependabot supports this feature and it seems so, so I assume RenovateBot should be able to achieve this as well. Of course, unless Github keeps this API exclusive to their dependency manager

[viceice]

Renovate app now has permission to update github workflows, but it's missing some manager features.
Renovate can currently only update uses: docker:xxx actions.

As a workaround you can use regexManagers:

renovate.json

...
"regexManagers": [
      {
        "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"],
        "matchStrings": ["uses: (?<depName>[a-z-/]+?)@(?<currentValue>.+?)\\s"],
        "datasourceTemplate": "github-tags"
      }
    ]
...

[rarkins]

@mrlubos it's unblocked now actually. The challenge was that we use git to push our changes to GitHub while Dependabot uses the API. The git flow does not follow the exact same path as API so there can be unintentional differences at times (it's not about GitHub benefiting their own app deliberately).

[RichiCoder1]

This is up for grabs right? I might be interested in taking a swing.

[rarkins]

@RichiCoder1 it's all yours!

[RichiCoder1]

Is there a way/pattern in renovate to track tags but pin to a commit kind like in docker? I know it's pretty common for use to track tags, but pin to a commit to avoid tag-shifting issues.

(Also just generally any advice?)

[rarkins]

@RichiCoder1 can you give an example of what you mean? I'm not sure the actions syntax allows both a tag as well as a SHA, so if we were to support that then we may need to invent part of the syntax ourselves.

Also for this issue I suggest you start with basic updating before progressing to anything advanced like pinning.

[RichiCoder1]

Sounds good!

[RichiCoder1]

can you give an example of what you mean? I'm not sure the actions syntax allows both a tag as well as a SHA, so if we were to support that then we may need to invent part of the syntax ourselves.

That's fair. It doesn't, hence why I asked if something like that already existed.

[renovate-release]

🎉 This issue has been resolved in version 23.55.0 🎉

The release is available on:

• GitHub release
• 23.55.0

Your semantic-release bot 📦🚀