Github Actions - allow updating major versions only

[DarkWanderer]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

GitHub Actions follow docker-like tag pattern, where a new version updates 3 tags simultaneously:

• full version: v1.2.3
• minor version: v1.2
• major version: v1

A common practice then is to use a major version tag (action@v1) to allow automatic minor version drift, and update major versions manually (as that often implies breaking changes)

At the moment, Dependabot is not aware of this convention, and unconditionally suggests the "max" version. This leads to situation when an action updates an action v2 to v3.0.0 example, and that leads to a lot of extraneous PRs after (updating 3.0.0=>3.0.1, 3.0.1=>3.0.2 etc.)

Suggestion: add versioning-strategy value for GitHub actions (e.g. major) which will instruct Dependabot to exclusively use tags where only major version is specified

[DarkWanderer]

Note: I am aware of ignore: update-types: mechanic, but this is slightly different as ignore will still result in dependency being updated to full version spec, i.e. v1.2.3

[deivid-rodriguez]

Mmmm, this feels like a deja vu... I thought we had already discussed and fixed this. This is what everyone expects, Dependabot should not be proposing an upgrade that uses a different "versioning style", and instead respect what's already there.

I'll have a look at what's going on, thank for letting us now and providing a public repo as a example 🥇.

[deivid-rodriguez]

Hei @DarkWanderer!

So I tried this using:

• Our dry-run.rb script.
• Dependabot's CLI.
• A fork of your repo.

All three times Dependabot bumped the dependency from v2 to v3 as expected.

There's still something fishy going on here since Dependabot did open an incorrect PR on your repository, but I have no idea how that happened. This should've been working as expected 17 days ago too, since no related changes have been released since that I know of.

Anyways, I'm going to close this, if you ever get another PR by Dependabot showing this behavior, please reopen this issue as quickly as possible so we can figure out the root cause and fix it!

Thanks for your helpful report, by the way!

[DarkWanderer]

No worries. This is an excellent tool and I'll be happy if I can contribute back.

One thing I noticed is that setup-dotnet repo uses manual release scheme, and a separate action to mark 'major' tag, e.g.:

• v3.0.0 was released manually at 29 Sep 17:56 CEST
• Additional workflow was triggered which ran at 30 Sep 8:28 CEST (triggered by manual 'deployment approval') and created v3 tag out of v3.0.0
• The pull request in question was raised at 30 Sep 3:55 CEST - i.e. after creation of v3.0.0 tag, but before v3.

Speculatively, this time gap might explain both the bug and failure to reproduce it - as now there is a valid v3 tag available.

I assume that in the absence of 'correct' v3 tag, Dependabot just defaults to the highest available

P.S. And I guess I didn't search hard enough, there is actually a prior on this: #2304

[deivid-rodriguez]

Wow, fantastic investigation! That makes total sense and I'm sure that's the cause of the issue.

Dependabot should always respect the precision chosen by the user, and it already does this in general, except for this normally very small time frame where an action has a release, but no "major tag/branch" pointing to it.

I will fix this.

[deivid-rodriguez]

Ok I created #5891 to fix this. I learnt though that there's a reason for the current behavior, so it will need some team discussion to figure out whether it should be changed or not.