Pending commits since release v3.1.5

Unreleased commits have been found which are pending release, please publish the changes.

• a3d4229 chore(deps-dev): bump husky from 7.0.4 to 8.0.1 (#214)
• 6a02660 fix: regenerate build output and package-lock.json (#212)
• f767865 chore(deps-dev): bump husky from 7.0.4 to 8.0.0 (#207)
• 10367c3 chore(deps-dev): bump sinon from 13.0.2 to 14.0.0 (#205)
• f4ccf6c chore(deps-dev): bump tap from 16.1.0 to 16.2.0 (#209)
• 3e588de chore(deps): bump actions-toolkit from `6ac2744` to `45a65d6` (#208)
• b5eb1bf chore(deps-dev): bump eslint from 8.14.0 to 8.15.0 (#206)
• 1140330 chore(deps): bump actions-toolkit from `5da7919` to `6ac2744` (#204)

Issue generated by github-actions-notify-release.

Run fastify/[email protected]
Error: Request failed with status code 500: {"statusCode":500,"code":"ERR_ASSERTION","error":"Internal Server Error","message":"{\"message\":\"Not Found\",\"documentation_url\":\"docs.github.com/rest/reference/apps#get-a-repository-installation-for-the-authenticated-app\"}"}

• https://github.com/eventum/eventum/pull/1066/checks?check_run_id=2388297970 (might be private)

yaml:

• https://github.com/eventum/eventum/blob/5c3365a29dbe8d18be634d736326886cc47cce1c/.github/workflows/ci.yml#L138-L146

Is this 500 error from GitHub and I should just retry, or it's from your application, can't understand it from the logs.

Pending commits since release v3.2.0

Unreleased commits have been found which are pending release, please publish the changes.

• 9e255af change parseCommaSeparatedValue to parseCommaOrSemicolonSeparatedValue (#250)
• ddd38a6 chore(deps): bump actions-toolkit from `d4a8659` to `4030f12` (#249)
• dffcf10 chore(deps-dev): bump eslint from 8.20.0 to 8.21.0 (#248)
• 72bb185 chore(deps): bump actions-toolkit from `1a8c4d1` to `d4a8659` (#247)
• 0d9a23e chore(deps-dev): bump eslint from 8.19.0 to 8.20.0 (#246)
• 14e078c chore(deps): bump actions-toolkit from `4d1c2e0` to `1a8c4d1` (#245)
• 3cc317e chore(deps-dev): bump eslint-plugin-prettier from 4.0.0 to 4.2.1 (#244)
• 8b778c0 chore(deps): bump actions-toolkit from `7d7ed13` to `4d1c2e0` (#243)
• b2150d4 chore(deps-dev): bump eslint from 8.18.0 to 8.19.0 (#242)
• 65bcbe9 chore(deps): bump nearform/optic-release-automation-action from 2 to 3 (#241)
• e0c360f chore: mention app uninstallation when migrating (#240)
• 5983205 chore(deps-dev): bump prettier from 2.6.2 to 2.7.1 (#237)
• 763409a chore(deps): bump actions-toolkit from `2de3d1d` to `7d7ed13` (#238)
• 0f1cdd6 chore(deps): bump @actions/core from 1.8.2 to 1.9.0 (#236)
• 6457e3d chore(deps-dev): bump eslint from 8.17.0 to 8.18.0 (#235)
• 1b0f2cf chore(deps-dev): bump tap from 16.2.0 to 16.3.0 (#234)
• dd82b9b chore(deps-dev): bump eslint from 8.16.0 to 8.17.0 (#233)
• 8f8c2fa chore(deps): bump actions-toolkit from `8fdb36d` to `2de3d1d` (#232)
• 6375aac chore(deps): bump actions-toolkit from `b2d9cfc` to `8fdb36d` (#229)
• 44d4004 chore(deps-dev): bump @vercel/ncc from 0.33.4 to 0.34.0 (#228)
• e34b23b chore(deps): bump minimist from 1.2.5 to 1.2.6 (#227)

Issue generated by github-actions-notify-release.

🚀 Feature Proposal

Using the {{ secrets.GITHUB_TOKEN }} in github actions we can commit directly in the PR or the master branch; that could be interesting to do automatically on PRs, therefore when merging into master the dist folder will be all the time up to date.

Motivation

Simplify the build and release process

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

fastify/github-action-merge-dependabot version

3.1.4

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

ubuntu-latest (currently ubuntu-20.04)

Description

Using a PAT for github-token throws an error and fails on initial PR job run.

A PAT is used instead of the GITHUB_TOKEN to allow deployment workflows to be triggered on the main branch by PRs merges. See: Triggering a workflow from a workflow.

Raw log from the failed job:

2022-05-06T04:59:40.2334607Z Requested labels: ubuntu-latest
2022-05-06T04:59:40.2334658Z Job defined at: austins/smoothnanners-web/.github/workflows/build.yml@refs/pull/49/merge
2022-05-06T04:59:40.2334676Z Waiting for a runner to pick up this job...
2022-05-06T04:59:40.8644504Z Job is waiting for a hosted runner to come online.
2022-05-06T04:59:43.9233605Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2022-05-06T04:59:46.0214385Z Current runner version: '2.291.1'
2022-05-06T04:59:46.0245172Z ##[group]Operating System
2022-05-06T04:59:46.0245792Z Ubuntu
2022-05-06T04:59:46.0246154Z 20.04.4
2022-05-06T04:59:46.0246456Z LTS
2022-05-06T04:59:46.0246910Z ##[endgroup]
2022-05-06T04:59:46.0247305Z ##[group]Virtual Environment
2022-05-06T04:59:46.0247700Z Environment: ubuntu-20.04
2022-05-06T04:59:46.0248118Z Version: 20220503.1
2022-05-06T04:59:46.0248784Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20220503.1/images/linux/Ubuntu2004-Readme.md
2022-05-06T04:59:46.0249536Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20220503.1
2022-05-06T04:59:46.0250080Z ##[endgroup]
2022-05-06T04:59:46.0250516Z ##[group]Virtual Environment Provisioner
2022-05-06T04:59:46.0250910Z 1.0.0.0-main-20220421-1
2022-05-06T04:59:46.0251317Z ##[endgroup]
2022-05-06T04:59:46.0252519Z ##[group]GITHUB_TOKEN Permissions
2022-05-06T04:59:46.0253337Z Actions: read
2022-05-06T04:59:46.0254086Z Checks: read
2022-05-06T04:59:46.0254598Z Contents: read
2022-05-06T04:59:46.0254926Z Deployments: read
2022-05-06T04:59:46.0255333Z Discussions: read
2022-05-06T04:59:46.0255713Z Issues: read
2022-05-06T04:59:46.0256111Z Metadata: read
2022-05-06T04:59:46.0256432Z Packages: read
2022-05-06T04:59:46.0256810Z Pages: read
2022-05-06T04:59:46.0257189Z PullRequests: read
2022-05-06T04:59:46.0257554Z RepositoryProjects: read
2022-05-06T04:59:46.0258010Z SecurityEvents: read
2022-05-06T04:59:46.0258415Z Statuses: read
2022-05-06T04:59:46.0258735Z ##[endgroup]
2022-05-06T04:59:46.0263285Z Secret source: Dependabot
2022-05-06T04:59:46.0263975Z Prepare workflow directory
2022-05-06T04:59:46.1210052Z Prepare all required actions
2022-05-06T04:59:46.1403168Z Getting action download info
2022-05-06T04:59:46.4510372Z Download action repository 'fastify/github-action-merge-dependabot@v3' (SHA:3ef36a063a845ad3b790809d9a3b8e92ea1f9bc2)
2022-05-06T04:59:47.3960337Z ##[group]Run fastify/github-action-merge-dependabot@v3
2022-05-06T04:59:47.3960662Z with:
2022-05-06T04:59:47.3960849Z   target: minor
2022-05-06T04:59:47.3961052Z   approve-only: false
2022-05-06T04:59:47.3961241Z   merge-method: squash
2022-05-06T04:59:47.3961436Z ##[endgroup]
2022-05-06T04:59:47.6158727Z /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:216
2022-05-06T04:59:47.6160090Z         throw new Error(`Input required and not supplied: ${name}`);
2022-05-06T04:59:47.6160389Z         ^
2022-05-06T04:59:47.6160524Z 
2022-05-06T04:59:47.6160837Z Error: Input required and not supplied: github-token
2022-05-06T04:59:47.6161521Z     at Object.getInput (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:216:15)
2022-05-06T04:59:47.6162681Z     at exports.getInputs (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9657:22)
2022-05-06T04:59:47.6163505Z     at Object.3348 (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9317:5)
2022-05-06T04:59:47.6164211Z     at __nccwpck_require__ (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9844:43)
2022-05-06T04:59:47.6164856Z     at /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9866:13
2022-05-06T04:59:47.6165479Z     at /home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9869:3
2022-05-06T04:59:47.6166146Z     at Object.<anonymous> (/home/runner/work/_actions/fastify/github-action-merge-dependabot/v3/dist/index.js:9872:12)
2022-05-06T04:59:47.6166608Z     at Module._compile (node:internal/modules/cjs/loader:1101:14)
2022-05-06T04:59:47.6166997Z     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
2022-05-06T04:59:47.6167384Z     at Module.load (node:internal/modules/cjs/loader:981:32)
2022-05-06T04:59:47.6446619Z Cleaning up orphan processes

However, re-running failed jobs once gets it to succeed.

I'm not sure if this is another issue with GitHub Actions or with github-action-merge-dependabot.

Steps to Reproduce

The workflow is triggered by a pull_request event not workflow_dispatch.

This is the job yml (source):

    automerge:
        needs: docker
        runs-on: ubuntu-latest
        steps:
            -   name: Automerge
                uses: fastify/github-action-merge-dependabot@v3
                with:
                    github-token: ${{ secrets.PAT_REPO }}
                    target: minor

permissions: config is not specified as it only applies to the GITHUB_TOKEN.

Use a PAT with repo permissions saved as a repository secret.

Expected Behavior

Does not throw an error on the initial run when using a PAT instead of the GITHUB_TOKEN.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

GitHub announced that dependabot will now respect the GITHUB_TOKEN permissions configured in workflows.

https://github.blog/changelog/2021-10-06-github-actions-workflows-triggered-by-dependabot-prs-will-respect-permissions-key-in-workflows/

Because of this, there's a good chance that this action won't need the backing web app it's currently using and can be rewritten as a plain, self-contained action.

Motivation

No response

Example

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Moving the discussion from #121 here:

As stated in the README:

based on Semantic Versioning

any is not valid in SemVer, but we have * for that, so I guess we should replace any for *.

Pending commits since release v3.1.3

Unreleased commits have been found which are pending release, please publish the changes.

• 60a81b1 chore(deps-dev): bump eslint from 8.13.0 to 8.14.0 (#193)
• 6b760d1 chore(deps-dev): bump tap from 16.0.1 to 16.1.0 (#192)
• 7e5d90d chore(deps): bump semver from 7.3.6 to 7.3.7 (#191)
• 0a230c4 chore(deps-dev): bump @vercel/ncc from 0.33.3 to 0.33.4 (#189)
• c977600 chore(deps-dev): bump sinon from 13.0.1 to 13.0.2 (#188)

Issue generated by github-actions-notify-release.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

To complete the #103 we need to:

1. define the shutdown end date for the external application. I would propose 31th March or the 1st of April 😂
2. implement and release fastify/dependabot-merge-action-app#105
3. then implement and release #110
4. then release v3 #107

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the regression has not already been reported

Last working version

2.x

Stopped working in version

3.x

Node.js version

12.x

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

20.04

💥 Regression Report

Now that v3 directly merges the pull request in the workflow without using an external app no push workflow is triggered.

In v2 once a dependabot pull request got merged any workflows listening on the push event were triggered.

Steps to Reproduce

automerge.yml

name: automerge

on:
  pull_request:
    branches:
      - main

jobs:
  automerge:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - uses: fastify/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

ci.yml

name: ci

on:
  push:
    branches:
      - main

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - run: |
          echo hello

Expected Behavior

ci.yml to be called.

I am unsure how/if this can be fixed as dependabot workflows have no access to other secrets other than the default GITHUB_TOKEN.

When the user set the target option and the dependabot's PR is like the following:

chore(deps): bump nearform/optic-release-automation-action from 2.2.0 to 2.3

(note the 2.3 version)

The semver check fails.

We should be more resilient and be able to merge this PR too.

Ref #121 (comment)

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

It would be useful to specify the minimum node version in the package.json

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Can we take advantage of the official dependabot parse method which based on full commit message?
https://github.com/dependabot/fetch-metadata/blob/a7c13a83a67acff9b107367e6e9f1cdf9a66e97f/src/dependabot/update_metadata.ts#L29-L67

export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup?: alertLookup, getScore?: scoreLookup): Promise<Array<updatedDependency>> {
  const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>\d[^ ]*) to (?<to>\d[^ ]*)\.$/m)
  const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
  const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
  const scoreFn = getScore ?? (() => Promise.resolve(0))

  if (yamlFragment?.groups && branchName.startsWith('dependabot')) {
    const data = YAML.parse(yamlFragment.groups.dependencies)

    // Since we are on the `dependabot` branch (9 letters), the 10th letter in the branch name is the delimiter
    const delim = branchName[10]
    const chunks = branchName.split(delim)
    const prev = bumpFragment?.groups?.from ?? ''
    const next = bumpFragment?.groups?.to ?? ''

    if (data['updated-dependencies']) {
      return await Promise.all(data['updated-dependencies'].map(async (dependency, index) => {
        const dirname = `/${chunks.slice(2, -1 * (1 + (dependency['dependency-name'].match(/\//g) || []).length)).join(delim) || ''}`
        const lastVersion = index === 0 ? prev : ''
        const nextVersion = index === 0 ? next : ''
        const updateType = dependency['update-type'] || calculateUpdateType(lastVersion, nextVersion)
        return {
          dependencyName: dependency['dependency-name'],
          dependencyType: dependency['dependency-type'],
          updateType: updateType,
          directory: dirname,
          packageEcosystem: chunks[1],
          targetBranch: mainBranch,
          prevVersion: lastVersion,
          newVersion: nextVersion,
          compatScore: await scoreFn(dependency['dependency-name'], lastVersion, nextVersion, chunks[1]),
          ...await lookupFn(dependency['dependency-name'], lastVersion, dirname)
        }
      }))
    }
  }

  return Promise.resolve([])
}

Or we can depends on the workflow after dependabot/fetch-metadata@v1

Motivation

Prevent custom logic which may break or not supported for multiple languages.

Example

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Provides major tag v2 and possible v3 in the future which tag to the latest appropriate commit.
(Side note: I saw you provides v1 which tags to the same commit as v1.0.0)

Motivation

As it is stated in GitHub Docs https://docs.github.com/en/actions/creating-actions/releasing-and-maintaining-actions#example-developer-process

We recommend creating releases using semantically versioned tags – for example, v1.1.3 – and keeping major (v1) and minor (v1.1) tags current to the latest appropriate commit. For more information, see "About custom actions" and "About semantic versioning.

Example

No response

🚀 Feature Proposal

Similarly to adding labels to pull request
would be nice to add a milestone to the pull request once it's merged.

The system must be smart enough to find open milestone to add to pull request as it would be too dull to make a commit for each time release is made and new milestone needs to be used.

Motivation

Projects may use labels to mark pull requests to a specific milestone.

The current workaround is to add a milestone manually once the pull request is merged.

Example

• eventum/eventum#1115 (comment)

node_modules folder should not be added to the git repository except for some very strange corner cases, remove it and add to the .gitignore file.

I'm having an issue where the action still merges a major release even if the target is set to minor.

For example, React v17.0.2 to v18.0.0 still gets merged.

    automerge:
        needs: analyze
        runs-on: ubuntu-latest
        permissions:
            pull-requests: write
            contents: write
        if: ${{ github.event_name == 'pull_request' }}
        steps:
            -   uses: fastify/github-action-merge-dependabot@v3
                with:
                    github-token: ${{ secrets.GITHUB_TOKEN }}
                    target: minor

Example PR: austins/smoothnanners-web-nextjs#17

Originally posted by @austins in #124 (comment)

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Eslint-prettier integration is not set up, causing formatting inconsistencies

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

For example, putting fastify/github-action-merge-dependabot doesn't seem to work neither does.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

https://github.com/nearform/github-action-notify-release/

🐛 Bug Report

GitHub actions workflows are not triggered when PRs are merged by this action.

See the long discussion in nearform/fastify-secrets-core#59, which is using this action.

The behavior is by design, to avoid recursive workflow triggers.

Expected behavior

We would like to have workflows triggered by merges done by this action. One of the options is to use a GitHub application to do so. It may be worth researching how to do that.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Fastify version

2.4.0

Plugin version

No response

Node.js version

n/a

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

20.04.2

Description

I'm using the following configuration:

name: auto-merge

on:
  pull_request_target:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - uses: fastify/[email protected]
        with:
          target: minor
          merge-method: merge
          github-token: ${{ secrets.GH_TOKEN }}

I have installed the application on the repository nugit/transformer-service where the action is enabled. But it's failing with the following error:

Error: Request failed with status code 400: {"statusCode":400,"error":"Bad Request","message":"See https://github.com/fastify/github-action-merge-dependabot#usage - {\"message\":\"You must authenticate with an installation access token in order to list repositories for an installation.\",\"documentation_url\":\"https://docs.github.com/rest/reference/apps#list-repositories-accessible-to-the-app-installation\"}"}

Steps to Reproduce

See description

Expected Behavior

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Description

Documentation for this action suggests doing following for excluding certain packages:

steps:
  - uses: fastify/[email protected]
    with:
      github-token: ${{ secrets.GITHUB_TOKEN }}
      exclude: ['react']

However, according to https://json.schemastore.org/github-workflow.json, entries for with (which have type of env), should be this:

        "oneOf": [
          {
            "type": "string"
          },
          {
            "type": "number"
          },
          {
            "type": "boolean"
          }
        ]

Hence passing an array here does not pass the schema validation.

Steps to Reproduce

Pass an exclude parameter as suggested by documentation.
I believe this can also be observed here: pinojs/pino@4a55e54

Expected Behavior

Implementation is consistent with GA schema.

This change caused this action to not be usable to merge PRs as described in the docs, because the built-in GITHUB_TOKEN is now readonly in pull_request events.

This article describes two alternatives to have a read/write token.

There is still an option to use a personal access token or a GitHub app though.

Ultimately, this action is not broken but the documentation should show how to use it successfully. The documentation is now broken because of the readonly behavior of the default GITHUB_TOKEN.

Pending commits since release v3.0.2

Unreleased commits have been found which are pending release, please publish the changes.

• b5879a5 chore(deps): bump actions-toolkit from `a843cdd` to `6d83846` (#168)
• 61bd59b chore(deps-dev): bump prettier from 2.6.1 to 2.6.2 (#170)
• 0fa3347 chore(deps): bump @actions/github from 5.0.0 to 5.0.1 (#169)
• ea594bc chore(deps): bump actions/checkout from 2 to 3 (#165)
• 116f1db chore(deps-dev): bump prettier from 2.6.0 to 2.6.1 (#163)
• 751c9be chore(deps-dev): bump tap from 16.0.0 to 16.0.1 (#162)
• c270d38 chore(deps-dev): bump eslint from 8.11.0 to 8.12.0 (#161)
• 428a038 chore(deps-dev): bump prettier from 2.5.1 to 2.6.0 (#160)
• db2dac8 chore(deps-dev): bump eslint from 8.10.0 to 8.11.0 (#157)
• ee1b0da chore(deps-dev): bump tap from 15.1.6 to 16.0.0 (#156)
• aa144e7 Action-ref warning (#149)
• aef9bb2 chore(deps): bump actions/setup-node from 2 to 3 (#154)
• 44cb36b chore(deps-dev): bump eslint from 8.9.0 to 8.10.0 (#153)
• 5572964 chore(deps-dev): bump sinon from 12.0.1 to 13.0.1 (#150)
• 2b6f1f4 chore(deps-dev): bump @vercel/ncc from 0.33.1 to 0.33.3 (#151)
• 29c6374 chore(deps-dev): bump eslint from 8.8.0 to 8.9.0 (#152)
• ac41fce chore(deps-dev): bump eslint from 8.7.0 to 8.8.0 (#148)
• a81b027 build: reduce dependabot update frequency (#146)
• 5772a03 chore(deps-dev): bump eslint from 8.6.0 to 8.7.0 (#143)
• 7cc50a1 chore: gha major tag (#142)
• cfd12b7 chore(deps-dev): bump tap from 15.1.5 to 15.1.6 (#141)
• 93a878b chore(deps-dev): bump eslint from 8.5.0 to 8.6.0 (#140)
• 465cda1 chore: use semver major version of actions (#139)
• ac7f5ad chore(deps): bump actions/setup-node from 2.5.0 to 2.5.1 (#138)
• 0ebdcf8 chore: add notify-release workflow (#136)
• 5dc0db2 feat: add release action (#123)
• 6b94b37 chore(deps-dev): bump eslint from 8.4.1 to 8.5.0 (#133)
• 8281799 chore(deps-dev): bump @vercel/ncc from 0.33.0 to 0.33.1 (#132)

Issue generated by github-actions-notify-release.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Starting from this issue:

• nearform/brokeneck#177 (comment)

The same issue above happened to the fastify's modules as well.

I think the target: minor is a more secure default for users.

Or, we could define target: major per dev-dependancies and target: minor for dependencies.

Motivation

Usually, the merge PRs are overseen and you may release a wrong semver or face some issue that needs investigating a lot.

There was already a comment somewhere that was cons to this change, but I think worth discussing it a bit.

Example

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Hello.

I just stumbled upon this on the fastify-cli repository : fastify/fastify-cli#449

What is the issue ?

The issue here is that since [email protected] the minimum required Node.js version is >=12 while fastify-cli currently support Node.js 10 (note that there is no { "engines": { "node": ">=10" } } in the package.json file, but the CI configuration trigger a run on Node.js 10).

And while dotenv officially support only Node.js 12 and greater they have not introduced any actual breaking change for now leading the CI to run without a single problem in fastify-cli repository.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

3.1.0

Plugin version

No response

Node.js version

??? whatever your action pulls

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

20.04

Description

A basic use-case in my repository stopped working after dependabot bumped it from 3.0.2 to 3.1.0. An error message reads Error: Cannot use 'in' operator to search for '' in false. The only place that I see false in the output is for the default argument of the approve-only option. Please see the relevant run: https://github.com/richardsheridan/trio-parallel/runs/5859944536?check_suite_focus=true#step:2:7

Steps to Reproduce

I don't think my workflow and settings are anything extraordinary but it is the only steps to reproduce that I have:

https://github.com/richardsheridan/trio-parallel/blob/e9d713c3b86434d8bc9f9a528e0017cdb49f4aa3/.github/workflows/ci.yml#L265-L277

Expected Behavior

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Commit hashes are not being dealt with properly when used as version identifier. The following error is thrown as can be seen on the repro link when there's no target specified:

Run fastify/github-action-merge-dependabot@v3
Error: Cannot read properties of null (reading 'raw')

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

This was originally reported in a GitHub support ticket:

There is an action which allows to merge dependabot Pull Requests automatically: https://github.com/fastify/github-action-merge-dependabot

It can be used in workflows as this one: https://github.com/simoneb/jetl/blob/master/.github/workflows/ci.yml.

You will see that it's used in a job automerge which needs job build. Job build is a required status check in order for the PR to be merged, configured in the branch protection rules of the repository settings.

What I see happening sometimes is that the automerge job fails because build has not completed yet, hence the required status check is not satisfied and hence the PR cannot be merged. But because automerge depends on the successful completion of build it doesn't make sense that this happens. It happens intermittently and you can see one such case here: https://github.com/simoneb/jetl/runs/4899793357?check_suite_focus=true

GitHub's response:

Hi Simone,

Thank you for reaching out to GitHub Support!

Taking a look at your workflow file, I wonder if the race condition comes from:

on: [push, pull_request]

I tested this out and when I update or create a new pull request, it also triggers the push event, as I'm technically pushing a pull request into the repository.

So I imagine there might be a race condition as the workflow is triggered twice when creating/updating the pull request and waiting on build.

With that being said, would it be possible to just use pull_request, or alternatively, we have had other users use workflow_run instead of needs, but the caveat to that is that thus event will only trigger a workflow run if the workflow file is on the default branch:

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow

We hope this helps! If you have any other questions about using GitHub Actions, we recommend asking in our GitHub Community Forum:

https://github.community/c/code-to-cloud/52

Hi there!

package.json states that this repo is MIT licensed however said license file is missing.
I would open a pull request but it seems like a pretty important document that is best suited to a member of the Fastify group adding?

🐛 Bug Report

Looks like the user dependabot[bot] does not always match, here's an example:

• eventum/eventum#994

Pending commits since release v3.1.6

Unreleased commits have been found which are pending release, please publish the changes.

• 5680353 chore(deps): bump actions-toolkit from `c7607c6` to `b2d9cfc` (#221)
• 2114022 chore(deps-dev): bump eslint from 8.15.0 to 8.16.0 (#220)
• 253045a chore(deps): bump @actions/github from 5.0.1 to 5.0.3 (#219)
• 73d53cf chore(deps): bump actions-toolkit from `45a65d6` to `c7607c6` (#218)
• 536660d chore(deps): bump @actions/core from 1.8.0 to 1.8.2 (#217)

Issue generated by github-actions-notify-release.

🚀 Feature Proposal

To POST a comment on the PR after approval with a specific message that can be used in email filters. 😬

Something like 👇

• auto merge action approves the PR
• merges the PR
• posts a comment "DEPENDABOT-AUTO-MERGED"

Motivation

Now that almost all fastify repos are auto-merging dependabot PRs. It occurred to me that it could simplify/reduce noise further if we could set email filters and mark emails from auto-merged PRs "as read".

Of course, we could set a filter based on the sender "dependabot[bot] [email protected]", but it does not catch the "approval" and "merge" emails. See the example screenshot.

The first email comes from dependabot[bot] and correctly gets marked as read. However, the next two comes from github-actions[bot] and stays unread.

@fastify/plugins thoughts?

🚀 Feature Proposal

Add an optional input flag (i.e. target) to only auto-merge on major, minor, patch updates based on Semantic Versioning.

• Default value would be major.
• Setting to minor would include both minor and patch updates.
• Setting to patch would only auto-merge on patch updates.

Motivation

Major updates may have breaking changes. Being able to auto-merge to only minor or patch updates will allow PRs for major versions to be manually approved and merged.

Example

steps:
  - uses: fastify/[email protected]
    with:
      github-token: ${{ secrets.GITHUB_TOKEN }}
      target: minor

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

This proposal aims to make the API simpler to understand; it doesn't change the actual behaviour, in fact it wants to keep it.

The only difference is that instead of using the special value any I’m proposing to just use an empty value ('', undefined…) to achieve same thing.

Motivation

• we don't need to create a special value to disable the target check, we just leave it empty
• we simplify the validation of target so it would only accept valid SemVer identifiers

Example

N/A

On @v1, the readme says Inputs: GITHUB_TOKEN, but then the example below says github-token: ${{secrets.github_token}}

• https://github.com/fastify/github-action-merge-dependabot/tree/40ad9cca4590e7f38130222835c6c68a7d93a6a7#readme

of course, users copy the example, rather than read the preceding block!

This ends up failing job:

Warning: Unexpected input(s) 'github-token', valid inputs are ['GITHUB_TOKEN']
Run fastify/github-action-merge-dependabot@v1
  with:
    github-token: ***
Error: Resource not accessible by integration

ref (probably private):

• https://github.com/eventum/eventum/pull/1066/checks?check_run_id=2384356122

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the regression has not already been reported

Last working version

3.0.2

Stopped working in version

3.1.0

Node.js version

/

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

/

💥 Regression Report

I think it should fallback to title regex when no package.json is found on diff.
Of cuz, it should not allow to upgrade if the title do not match which is different then before.

Steps to Reproduce

fastify/fastify#3825

Expected Behavior

github workflow should be supported.

Hi! Action doesn't work for me. I used it like in README
https://github.com/qelphybox/hakeshonassybot/runs/2702331035?check_suite_focus=true

Then I tried to change api-url to one from action.yml defaults from master branch
https://github.com/qelphybox/hakeshonassybot/runs/2703535764?check_suite_focus=true

Always i get Error: Request failed with status code 400:

Did I do something wrong?

https://github.com/salmanm/github-action-merge-dependabot/blob/487dd66d40475d6357f8b0e65cf7dc088e19f96f/index.js#L24

core.info('message')

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

the dist folder is not aligned with the source code and it's not being regenerated during the build

🚀 Feature Proposal

Support the workflow_dispatch as an acceptable event context to run this action.

Motivation

It looks like this only supports the pull_request event context here. In my case, my CI runs on a different provider which I can't change out right now. I would like to initiate a workflow_dispatch via API when my CI has passed so that the auto-merge action can then take effect.

workflow_dispatch

Example

# actions file
name: Dependabot Auto Merge
on: workflow_dispatch

jobs:
  automerge:
    runs-on: ubuntu-latest
    steps:
      - uses: fastify/[email protected]
        with:
          github-token: ${{ secrets.TOKEN }}

# script
curl -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  -H "Authorization: token ${PAT}" \
  https://api.github.com/repos/{ownder}/{repo}/actions/workflows/{workflow_id}/dispatches \
  -d '{"ref":"ref"}'

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Refs:

• #107 (comment)
• #103

When we release a major version of this GHA, dependabot will open a PR against this GHA users.
The github-action-merge-dependabot will merge the PR updating itself assuming users has the default target: any configuration.

This must not happen: a major bump of this GHA must be done manually by the user because a major release (could) mean a new GHA syntax.

The github-action-merge-dependabot cannot upgrade itself regardless the target filter.

In this case, we should:

• if the api_url is the default value:
  • do the normal flow: the external application will take care of rejecting the PR after landing fastify/dependabot-merge-action-app#105
• if the api_url is not the default value:
  • set the GHA step as FAILED with a how to upgrade message
  • log the same message as a warning
  • (optional if possible) comment the PR with the same message

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

• Improve handling of invalid PR titles, it should throw an error instead of silently approving the PR (as per discussion with @simoneb)
• Parse package name from branch name instead of title to avoid namespace issues
• Fix related tests

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

Plugin version

latest

Node.js version

Operating system

Windows

Operating system version (i.e. 20.04, 11.3, 10)

Description

PLEASE IGNORE THIS ISSUE FOR NOW

When executed, this action assumes that the required status checks have already been satisfied. There are some cases in which this is not true, therefore the action fails to merge the PR.

At a high level there are a few scenarios where this may happen:

• when used in the context of a build matrix
• when there are required checks outside of the workflow when this action is used

A solution to this issue would probably cover both.

Steps to Reproduce

• have a build job in your workflow, configured a matrix (e.g. different node versions, say 14 and 16)
• mark all the builds of the matrix as required checks in the repo branch protection settings
• use this action with needs: build in the same workflow

What will sometimes happen is that:

• build 14 starts
• build 16 starts
• build 14 completes
• action runs as a consequence of one of the builds completing
• action fails because build 16 is a required check so the PR can't be merged
• build 16 completes
• yeah right Simone, so why doesn't automerge run as a consequence of build 16 completing?? Go figure! Yet I saw this happening!

Expected Behavior

No response

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Achieve and enforce 100% code coverage

🐛 Bug Report

Github workflows are unable to resolve v2 with error:

Unable to resolve action `fastify/github-action-merge-dependabot@v2`, unable to find version `v2`

To Reproduce

Using config below:

dependabot-merge:
  name: "Dependabot automerge"
  needs: test
  runs-on: ubuntu-latest
  if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'
  steps:
    - uses: fastify/github-action-merge-dependabot@v2
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}

Expected behavior

Action works

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the regression has not already been reported

Last working version

2.1.1

Stopped working in version

2.2.0

Node.js version

N/A

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

20.04

💥 Regression Report

Updating git submodules stopped working in 2.2.0 due to the newly added target parameter. Submodules are updated by new commits, and so they fail the SemVer check (compared by hashes):

Steps to Reproduce

• Add a submodule in your repo
• Create a dependabot workflow to update submodules:

version: 2
updates:
  - package-ecosystem: "gitsubmodule"
    directory: "/"
    schedule:
      interval: "daily"

• Create a simple GitHub action for fastify/github-action-merge-dependabot

Expected Behavior

It should just ignore git submodules and automatically merge them regardless. A skip option for target would be a solution for that.

🐛 Bug Report

Not shure if it should be here or in the app repo but doing it here.

During workflow run action fails with 503 error, but nevertheless merges the PR.

You can see failed workflow here: https://github.com/xobotyi/node-beanstalk/actions/runs/656962760

To Reproduce

Just run the action

Expected behavior

Action should complete w\o errors.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'Github Action Merge Dependabot'
github-token:
  action-input:
    input: github-token
    is-default: false
  permissions:
    contents: write
    contents-reason: to merge PRs
    pull-requests: write
    pull-requests-reason: to create reviews in PRs #Checkout: https://github.com/fastify/github-action-merge-dependabot/blob/2d4bd4eef9cd83988413214f9af48caf02282b4a/src/github-client.js#L35
#FIX: #670

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.