Comments (5)
For a data point, I've occasionally manually combined the changes from multiple Dependabot PRs in cases where it doesn't make sense for the individual package updates to be applied separately (e.g. @sentry/*
where all package versions need to be kept aligned to result in a working system, but Dependabot today raises separate PRs for each directly-referenced dependency).
When I've done that, I've also gone and manually combined the metadata stanzas in the resulting commit message to indicate the now-combined update being applied. To me, that seems like a completely valid use case where I would want any tooling that reads this metadata to read the updated metadata even though my user had committed (and potentially authored) the commit. 🙂
from fetch-metadata.
I'm going to run this by the team internally to see what folks think...
from fetch-metadata.
I think that the only downside of implementing this is that we will need to release a new breaking version and inform the users about it.
Other than that, I assume that most users will copy/paste the examples
from fetch-metadata.
From @brrygrdn via slack:
As I recall, the intent of that method was to avoid anyone tacking on additional commits or force-pushing an edited commit that would trigger a user's automation. The reason we do the 'belt-and-braces' in the workflow is more about avoiding jobs running on every PR ending in errors rather than just skipping.
I think the intent that content should be verified as best possible is still worthwhile because people are using this as a gateway to automerging, etc, so as an official action I think we should avoid trusting the content by default.
Adding an option to disable content verification seems ok though as in that case the user knows what they are doing and has taken the safety catch off.
On the surface that makes sense to me, I hadn't even considered the case of someone tacking on additional commits to an existing Dependabot PR.
However, the funky part is that the logic is not checking the author of the last commit, it's checking the PR author:
fetch-metadata/src/dependabot/verified_commits.ts
Lines 22 to 25 in 173b40e
And on the flip side, only checking the PR author makes sense for the cases where someone has automation for an additional commit on every PR, such as using https://github.com/jonabc/licensed-ci.
So that kinda prevents us fully switching to checking the latest commit author rather than PR author.
That said, I'm still fine with leaving the existing check for defensive purposes, but does mean we could probably loosen the API over in #331 from specifying a custom user to simple on/off of enforcing the in-code check.
@brrygrdn feel free to add mroe comments if I'm misunderstanding or overlooking something.
from fetch-metadata.
Fixed by #336
from fetch-metadata.
Related Issues (20)
- Migrate to node 18 whenever Actions adds support for it. HOT 2
- Fetch Metadata action returns null update-type output for pull requests HOT 14
- Auto-merge not adhering to Branch Protection Rules HOT 3
- Error: Api Error: (404) Not Found HOT 1
- Package ecosystem output for gitsubmodules PRs is inconsistent with dependabot.yml
- `new-version` has trailing whitespace
- Allow for additional event types / Ignore "pull-request"+"pull-request-target" event types? HOT 1
- Support `newVersion` and `prevVersion` for updates with multiple dependencies HOT 2
- Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file. HOT 1
- Add `severity` to the action outputs
- Add alert number to outputs HOT 1
- Alert metadata lookup not working as expected HOT 2
- `fetch-metadata` action returns `/` for directory output HOT 1
- `fetch-metadata` can not fetch metadata when using `workflow_run` event HOT 1
- Directory name is not properly extracted from branch name when using `-` separator. HOT 1
- Multi-segment directory name malformed when using non-standard separator.
- github actor is not dependabot when rerunning the job HOT 1
- Dependabot "update-type" not available in metadata retrieved for PR HOT 6
- Dependabot runs fail due to strict node and npm pinning HOT 5
- Include "outputs.publish-date" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch-metadata.