GitHub Actions updater uses LF newline for modified lines even if file uses CRLF

[jakebailey]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

GitHub actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/microsoft/TypeScript/blob/main/.github/workflows/nightly.yaml

dependabot.yml content

https://github.com/microsoft/TypeScript/blob/main/.github/dependabot.yml

version: 2
updates:
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: 'weekly'
    groups:
      github-actions:
        patterns:
          - '*'

Updated dependency

From:

actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0

To:

actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1

What you expected to see, versus what you actually saw

When dependabot updates the yaml file, it should use the line endings already used in the file. However, it appears to always use LF line endings on the lines it modifies. This leads to mixed line ending files, which is bad. In the TypeScript repo, this manifests as a CI failure due to the file not being formatted.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

microsoft/TypeScript#56870 is an example of a failing PR.

microsoft/TypeScript@d9cabbf (#56870) is the commit, but doesn't show the difference.

Locally, I can run a script which splits the lines on just \n. On main, the lines changed for one of these files looks like:

  '    steps:\r',
  '      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\r',
  '      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0\r',
  '        with:\r',
  '          # Use NODE_AUTH_TOKEN environment variable to authenticate to this registry.\r',
  '          registry-url: https://registry.npmjs.org/\r',

But after:

  '    steps:\r',
  '      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1\r',
  '      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1',
  '        with:\r',
  '          # Use NODE_AUTH_TOKEN environment variable to authenticate to this registry.\r',
  '          registry-url: https://registry.npmjs.org/\r',

Note the missing \r on the updated line.

A workaround is to not use CRLF

Smallest manifest that reproduces the issue

No response

[aaron-kruse]

This sounds like it's related to another issue:

• NuGet updates convert csproj files from CRLF to LF #8642

Edit: actually, after looking closer, it looks like these are related but a little different. It looks like the underlying problem in both issues is Dependabot uses LF line endings even when the existing file uses CRLF line endings. In this issue about YAML files, that's where the problem ends (end-result is a file with mixed line endings). For NuGet packages, on the other hand, there's some special handling to check for and "fix" mismatched line endings. Dependabot uses LF in a file that previously used only CRLF, created an issue with mismatched line endings, then Dependabot "fixes" this by switching everything to LF. The end-result is entire *.csproj files get modified, with diffs showing everything getting removed then re-added.

[github-actions]

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

[jakebailey]

It's not fixed, no :(

[yurikuzn]

I think .gitattributes should be honored. Dependabot overrides new lines in package.json, then, after I fetch the changes, the local git automatically modifies it back, because of eol=crlf in gitattributes.

[jakebailey]

I don't even think that's required. Just look at the existing line endings in a file and use them.

[fbienz]

I'm adding to this, since the new gradle wrapper updates change the line endings of gradlew.bat to LF. From what I've read about batch files, this can cause bugs in those scripts.

Correction: This only happened in Repositories where we had the following gitattributes file:

# Normalize checked-in files to LF, force checkout as LF
* text=auto eol=lf

# These are explicitly windows files and should use crlf
*.bat text eol=crlf

[Thunderforge]

Adding on to the report from @fbienz on Gradle wrapper, running ./gradlew init on a new project to set up Gradle generates this .gitattributes file:

#
# https://help.github.com/articles/dealing-with-line-endings/
#
# Linux start script should use lf
/gradlew        text eol=lf

# These are Windows script files and should use crlf
*.bat           text eol=crlf

# Binary files should be left untouched
*.jar           binary

With the current version of Dependabot, when it upgrades Gradle, it ignores the crlf line endings for gradlew.bat.