Comments (12)
With #139 merged you are now able to directly reference the directory
, package-ecosystem
, and target-branch
in the action.
from fetch-metadata.
@kojiromike I released a v1.2.0
tag that includes these changes
https://github.com/dependabot/fetch-metadata/releases/tag/v1.2.0
Closing this issue out. Thank you to everyone who contributed!
from fetch-metadata.
@mwaddell I can't believe I overlooked that. I've been having a lot of failed runs over the last few weeks due to labels not existing on the event snapshot, using the branch name should fix that.
Here's a modified version of the above workflow.
- uses: actions/[email protected]
id: metadata
with:
script: |
// https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#package-ecosystem
const ecosystems = {
bundler: "bundler",
cargo: "cargo",
composer: "composer",
docker: "docker",
elm: "elm",
github_actions: "github-actions",
go_modules: "gomod",
gradle: "gradle",
hex: "mix",
maven: "maven",
npm_and_yarn: "npm",
nuget: "nuget",
pip: "pip",
submodules: "gitsubmodule",
terraform: "terraform",
};
const branchName = context.payload.pull_request.head.ref;
const [, branchEnvironment] = branchName.split("/");
const ecosystem = ecosystems[branchEnvironment];
if (!ecosystem) {
core.setFailed(`No ecosystem found in branch: ${branchName}`);
return;
}
core.info(`dependency-ecosystem detected: ${ecosystem}`);
core.setOutput("dependency-ecosystem", ecosystem);
from fetch-metadata.
I want to allow all actions and npm dev dependencies to auto-merge, and then manually merge npm production dependencies. This behavior doesn't seem possible right now without having access to the ecosystem of each update.
A temporary workaround might be to check the dependency name for a /
if it doesn't start with @
(to filter out scoped npm packages) but that's too brittle to be a permanent solution.
from fetch-metadata.
@xt0rted I'm trying to solve a similar problem. While resolving this issue would obviously be a better solution, have you tried using the label as a proxy for the ecosystem? The docs say…
If more than one package manager is defined, Dependabot includes an additional label on each pull request. This indicates which language or ecosystem the pull request will update, for example: java for Gradle updates and submodules for git submodule updates.
I guess it would be complicated by needing to trigger the action on the label update event, but I just wondered if anyone else had tried it already.
from fetch-metadata.
this would be a great feature
from fetch-metadata.
@kojiromike that's a great idea I overlooked.
Here's something I put together real quick. The mapping is label name on the left, dependabot config name on the right. If you're using custom labels then you'll need to change the value on the left. I'm not sure if this mapping is 100% (used the values found here), and it looks like there might be an issue if you're using maven
and gradle
since they seem to use the same java
label by default.
- uses: actions/[email protected]
id: metadata
with:
script: |
// https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#package-ecosystem
const environments = {
ruby: "bundler",
rust: "cargo",
php: "composer",
docker: "docker",
elixir: "mix",
elm: "elm",
submodules: "gitsubmodule",
github_actions: "github-actions",
go: "gomod",
//java: "gradle",
//java: "maven",
javascript: "npm",
".NET": "nuget",
python: "pip",
terraform: "terraform",
};
const labels = context.payload.pull_request.labels.map(l => l.name);
if (!labels) {
core.setFailed("Pull request has no labels");
return;
}
const ecosystem = environments[labels.filter(l => environments.hasOwnProperty(l))[0]] || "unknown";
core.setOutput("dependency-ecosystem", ecosystem);
Add that after your fetch-metadata
step and then you can use ${{ steps.metadata.outputs.dependency-ecosystem }}
to filter subsequent steps.
Another option is to change the second to last line to something like this if there's no match:
const ecosystem = environments[labels.filter(l => environments.hasOwnProperty(l))[0]];
if (!ecosystem) {
core.setFailed("No ecosystem label found");
return
}
I've only ran a few tests with this, but once I start adding it to my repos I'll make sure to update the code above if I need to make any changes to it.
from fetch-metadata.
Note that you can parse both of these already from the PR's branch name since all of them will be in the format dependabot/{ecosystem}/{directory}/{dependency}-{version}
(unless you override the separator)
from fetch-metadata.
Glad I could help! The labels don't get added until slightly after the PR is created (as an update), so if you have an action that absolutely needs the labels, you need to have it monitor the pull_request: [labeled]
event as well and have it wait until the labels exist.
from fetch-metadata.
If anyone wants to take a crack at making a PR to address this issue, it would be something like this:
const { pull_request: pr } = context.payload
const branchName = pr.head.ref
// skip any non-dependabot branches
if (!branchName.startsWith("dependabot")) {
return false;
}
// split on "/" (or whatever the user has overridden it as)
const chunks = branchName.split(branchName[10])
// grab the 3rd chunk if there are 4, otherwise if there are only 3 then use "/"
const dirname = chunks[3] ? chunks[2] : "/"
return {
"directory": dirname,
"package-ecosystem": chunks[1],
"target_branch": pr.base.ref
};
from fetch-metadata.
This is working well for me, except that I have to pin the action to a commit instead of a released version of fetch-metadata. I understand this is open source, so no pressure, but I look forward to there being a released version :)
from fetch-metadata.
Just noting that workflows need to test for steps.dependabot-metadata.outputs.package-ecosystem == 'github_actions'
(with underscore) rather than == 'github-actions'
(with hyphen). The underscore is not used at https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file, etc.
from fetch-metadata.
Related Issues (20)
- Add `.devcontainer` HOT 5
- Migrate to node 18 whenever Actions adds support for it. HOT 2
- Fetch Metadata action returns null update-type output for pull requests HOT 14
- Auto-merge not adhering to Branch Protection Rules HOT 3
- Error: Api Error: (404) Not Found HOT 1
- Package ecosystem output for gitsubmodules PRs is inconsistent with dependabot.yml
- `new-version` has trailing whitespace
- Allow for additional event types / Ignore "pull-request"+"pull-request-target" event types? HOT 1
- Support `newVersion` and `prevVersion` for updates with multiple dependencies HOT 2
- Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file. HOT 1
- Add `severity` to the action outputs
- Add alert number to outputs HOT 1
- Alert metadata lookup not working as expected HOT 2
- `fetch-metadata` action returns `/` for directory output HOT 1
- `fetch-metadata` can not fetch metadata when using `workflow_run` event HOT 1
- Directory name is not properly extracted from branch name when using `-` separator. HOT 1
- Multi-segment directory name malformed when using non-standard separator.
- github actor is not dependabot when rerunning the job HOT 1
- Dependabot "update-type" not available in metadata retrieved for PR HOT 6
- Dependabot runs fail due to strict node and npm pinning HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch-metadata.