Comments (7)
It's always true
if the title do not match regexp.
github-action-merge-dependabot/src/checkTargetMatchToPR.js
Lines 12 to 16 in 116f1db
from github-action-merge-dependabot.
Ah I can see that that dependabot PR is doing something we're not expecting here! It's bumping both react and react-dom. I've never seen this case before, I guess dependabot is getting smarter. We need a different strategy here, all of the assumptions we made in the action rely on a single package being bumped
from github-action-merge-dependabot.
@simoneb based on what I've seen, this is kind of an expected behavior in the code right now, even if not desired.
Specifically, looking at this test we can see it was actually expected that if the PR title didn't match the target match expression (/from ([^\s]+) to ([^\s]+)/
) the target
option would be ignored.
Moving forward we might want to improve that specific segment. Instead of simply checking the PR title we might want to check what's actually going on in the package.json
file. Maybe matching the package name(s) in the PR title with the versions in package.json
.
I'll work on that change for now but if you don't think that's not a good approach we can re-think the strategy.
Edit: only now I've seen the comments above lol.
from github-action-merge-dependabot.
If this issue is ever implemented we might want to drop checking the PR title altogether, given the PR template they implement might involve setting the title as well.
from github-action-merge-dependabot.
@wilkmaia is looking into this
from github-action-merge-dependabot.
I believe there was also a case where it still approved a merge to a major release with a valid semver format, although the config was set to target minor (example PR). However, this was with fastify/[email protected]
.
For this case with React, yes, the title has two dependencies and dependabot isn't including the version numbers in the title. We could parse the PR message for Updates react from 17.0.2 to 18.0.0
and Updates react-dom from 17.0.2 to 18.0.0
, however that may not be reliable if dependabot ever changes their template again. I would say that checking the diff in package.json
would be the most consistent and reliable option.
Thanks Fastify team for looking into this!
from github-action-merge-dependabot.
I agree that looking at the diff is probably the only reliable way.
from github-action-merge-dependabot.
Related Issues (20)
- Different targets for `development` and `production` dependencies HOT 3
- Release pending!
- Major version update is auto-merged with target set to minor HOT 16
- "Fetch metadata" step is skipped for "pull_request_target"
- Release pending!
- Clarify meaning of "target" option HOT 1
- Receiving 'Warning: Semver bump '' is invalid!' message HOT 3
- Fail with meaningful error in case an unsupported trigger is used HOT 1
- remove semver as dep HOT 1
- deprecation warning in test/log.test.js HOT 1
- use nearform-actions HOT 1
- remove gitdiff-parser as dependency HOT 1
- use esbuild instead of ncc
- Feature: Allow defining targets per pattern or group
- replace husky with @fastify/pre-commit
- use taprc and show coverage report HOT 1
- Suppress warning in CI/CD pipeline HOT 1
- remove @actions/github HOT 1
- Output does not seem to appear HOT 2
- Frequently see error "Pull request is in unstable status" (but all validation checks pass) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from github-action-merge-dependabot.