Comments (19)
simoneb
commented on June 12, 2024
Thanks for reporting this. I'm afraid that we simply did not consider this when moving away from the backing web app, which we thought of as a temporary workaround for limitations in github permissions.
I think that the behavior you're seeing is another known limitation in github, which prevents workflows to trigger other workflows to avoid infinite recursion.
This is a somewhat important limit that we should probably point out in the docs, but I don't see us going back to the backing web app at this stage.
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
including @Eomm in this conversation
from github-action-merge-dependabot.
Eomm
commented on June 12, 2024
As workaround, could you try to use a custom developer token instead of the default GITHUB_TOKEN?
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
together with @Eomm's suggestion above, and regarding your comment:
I am unsure how/if this can be fixed as dependabot workflows have no access to other secrets other than the default GITHUB_TOKEN.
GitHub now supports dependabot secrets. So storing a PAT in secrets AND dependabot secrets would probably make this work.
It's not a full solution, but it may be the best we can do for now, apart from staying on v2.
from github-action-merge-dependabot.
mcollina
commented on June 12, 2024
Now that v3 directly merges the pull request in the workflow without using an external app no push workflow is triggered.
This seems a limitation/bug in Github Actions. New commits are pushed to main so I would have expected the workflow to run. Maybe we should open an issue there?
from github-action-merge-dependabot.
JamesKyburz
commented on June 12, 2024
I will check if a PAT works using a Dependabot secret, if so maybe we could just update the README to reflect the v3 changes.
from github-action-merge-dependabot.
JamesKyburz
commented on June 12, 2024
It does work with a dependabot specific repository secret PAT :) Also if this is used then you don't need to specify extra permissions because the rights given by the PAT.
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
Thanks for trying this out @JamesKyburz . The main issues with PATs are the lack of permission granularity and that they are bound to a user, which make them inappropriate for repositories with multiple contributors. I would personally not be comfortable using them in a repository with multiple contributors. On the other hand, I don't think there are any other solutions which would cause the merged PRs to trigger other workflows.
from github-action-merge-dependabot.
JamesKyburz
commented on June 12, 2024
@simoneb I agree, although I can't think of any other solution either. I am also yet to find a way to automatically rotate PAT secrets too
from github-action-merge-dependabot.
Eomm
commented on June 12, 2024
After reading the GH docs it seems not doable by setting some config.
Maybe we could add an extra step to trigger a workflow by calling the /repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches API to trigger a workflow manually
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
We would need to configure which workflow(s) to trigger. I am not a fan of the idea but not against it either. For most practical purposes this unintended behavior we have is surely not nice but not an extremely big deal anyway in my opinion (especially because we don't really have many options outside of going back to the backing github app).
The reason why it's not a very big deal in my opinion is because usually we would configure whatever workflow we run when something is merged to the master/main branch to run both on push and pull_request events, meaning that when you're in a dependabot PR, you're already running those same workflows for both the code that's in the PR and the code that's the result of merging the PR's branch into master/main, meaning that another workflow(s) run when the PR is actually merge is largely redundant.
Now, I appreciate this is not certainly covering all scenarios (e.g. you're triggering a CD workflow when merging to master/main), but lacking an obvious solution I guess we have to accept that we have this limitation, unless we decide that we don't want to have it, in which case the most obvious option is to go back to the github app.
from github-action-merge-dependabot.
tinohager
commented on June 12, 2024
Hi, I just stumbled across this problem too and from my point of view I would have no problem specifying the workflow I want to call. Is there an implementation date for the function?
from github-action-merge-dependabot.
tinohager
commented on June 12, 2024
I have found a solution for my workflow issue, my pull request workflow has this name Check Pull Request
Add this to the workflow to be executed after the pull request workflow
on:
workflow_run:
workflows: ["Check Pull Request"]
types:
- completed
from github-action-merge-dependabot.
Eomm
commented on June 12, 2024
Hi, I just stumbled across this problem too and from my point of view I would have no problem specifying the workflow I want to call. Is there an implementation date for the function?
There is nobody working on it. Would you like to send a PR?
I have found a solution for my workflow issue
do you mean something like the following?
name: ci
on:
push:
branches:
- main
workflow_run:
workflows: ["automerge"]
types:
- completed
jobs:
ci:
runs-on: ubuntu-latest
steps:
- run: |
echo hello
It seems a good solution to me: we could document it!
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
My only doubt here is that we have normally used exactly the same workflow for CI containing both our CI steps and the step which invokes the automerge action. This solution implies that the two would have to live in different workflow files. Let's say you have a ci and an automerge workflows. What triggers what?
pull_request -> ci
ci -> automerge
automerge -> ci
This goes into an infinite loop, doesn't it?
from github-action-merge-dependabot.
tinohager
commented on June 12, 2024
I have dependabot active, this create a new pull request on package update, a workflow for pull requeust validate the pull request and start automerge after successful build and trigger the primary workflow to create the new docker container.
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
can you describe how you set it up in more detail?
from github-action-merge-dependabot.
wbaldoumas
commented on June 12, 2024
Just adding here that I am also running into this issue and the discussed workarounds aren't something I'd like to put in place. Is the best course of action to drop down to v2.x.x?
from github-action-merge-dependabot.
simoneb
commented on June 12, 2024
@wbaldoumas no plans to revert to the approach adopted in v2 at the current time. We understand the compromise but we chose to avoid using a backing API due to the maintenance overhead. We've been using v3 for several months now and while the lack of automatic triggers when PRs are merged is an inconvenience, we have not incurred into any major issues.
I'll leave this issue open because it's legit, but we don't plan to address it at the current time.
from github-action-merge-dependabot.
Related Issues (20)
- Release pending!
- Major version update is auto-merged with target set to minor HOT 16
- "Fetch metadata" step is skipped for "pull_request_target"
- Release pending!
- Clarify meaning of "target" option HOT 1
- Receiving 'Warning: Semver bump '' is invalid!' message HOT 3
- Fail with meaningful error in case an unsupported trigger is used HOT 1
- remove semver as dep HOT 1
- deprecation warning in test/log.test.js HOT 1
- use nearform-actions HOT 1
- remove gitdiff-parser as dependency HOT 1
- use esbuild instead of ncc
- Feature: Allow defining targets per pattern or group
- replace husky with @fastify/pre-commit
- use taprc and show coverage report HOT 1
- Suppress warning in CI/CD pipeline HOT 1
- remove @actions/github HOT 1
- Output does not seem to appear HOT 2
- Frequently see error "Pull request is in unstable status" (but all validation checks pass) HOT 4
- Release pending!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-action-merge-dependabot.