saadmk11 / github-actions-version-updater Goto Github PK

It looks like v.0.8.0 is now appending on minor/patch versions for upgrades? First, I'm not sure if that's intended behavior, but if so it's also appending minor/patch to versions which already list them. You can see an example here

From what I can tell, this is already available in the code, so it should hopefully be fairly easy to return it as an output.

How to specify that an Action has outputs: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions
End-to-end example including how to set the output: https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action

Use case: I have a process that needs to run on the PR that was created by this action. Right now I do:

prnumber=$(gh search prs --repo ${{ github.repository }} --state open --match title "$PR_TITLE" --json number --jq '.[].number')

... which works but is kinda janky. It'd be great if this action would just return the number of the PR that was created so I wouldn't have to do this extra step.

Sometimes actions backport some features to previous major versions, and this action is offering them in the PRs, essentially meaning it would downgrade the version if merged.

As far as I understand this is due to not parsing the version and just looking at the latest release in terms of date. I recommend parsing the version and comparing them numerically to decide whether a version is newer or not.

Hello!

I noticed that the Configuration class has several default field values which are mutable (empty sets, and the ALL_RELEASE_TYPES).

In the (admittedly probably uncommon for Github Actions usage) case where multiple Configuration are instantiated, and they didn't have these fields overwritten by user input, they would all share mutations, similar to the "function parameter default value is mutable" issue.

Here's an example:

>>> import src.config as c
>>>
>>> j = c.Configuration()
>>> j.ignore_actions
set()
>>>
>>> k = c.Configuration.create({'INPUT_PULL_REQUEST_LABELS': 'label1,label2'})
>>> k.ignore_actions
set()
>>> k.ignore_actions.add('ignore1')
>>> j.ignore_actions    # `j`'s copy should still be empty
{'ignore1'}
>>>
>>> k.pull_request_labels
{'label1', 'label2'}
>>> j.pull_request_labels
set()
>>> j.pull_request_labels.add('another_label')
>>> k.pull_request_labels
{'label1', 'label2'}    # This is fine because `k` got a new set when parsing user input
>>>
>>>
>>> # The shared reference to `ALL_RELEASE_TYPES` has the same issue:
>>> j.release_types
['major', 'minor', 'patch']
>>> k.release_types.remove('minor')
>>> j.release_types
['major', 'patch']

pylint has an open issue for adding a warning about this: pylint-dev/pylint#3716

Resolution

I think two approaches to resolving this could be to either

• use empty frozenset() as defaults, instead of empty set(). This would mean that users of Configuration would no longer be able to call, for example, config.ignore_actions.add(...), if they were doing that.

• or convert Configuration from a NamedTuple into a @dataclass(frozen=True). Dataclass fields can have a factory function to return a new empty set for each instance, which would solve the reference sharing while maintaining internal mutability, if that's what you want.

For context:

I'm not sure why the action appears to be failing, but the highest logging reported are the warnings for workflows that have been removed from the master branch. Am I missing a particular configuration?

I have configured the version updater action on my project and it works perfectly. Thanks for your project.

But as it is executed every day and with a new branch name each time, if I don't check my projects every day, I end up with several pull requests for the same patch.

On my workflow:

on:                                                                                                                                                                                                            
  schedule:                                                                                                                                                                                                    
    - cron: '0 0 * * *'

On main.py :

new_branch_name = f"gh-actions-update-{int(time.time())}"

I think it will be good to have a fix branch name (at least as an option), So that the pull request can be updated each time (with a force push).

Best regards,
Jean-Marie

Hi,

Thank you very much for this useful package! I'm trying to bring it to (gh-)action, but the version of the checkout action seems to be determined or pasted incorrectly.

The GitHub-actions version updater wants to change:

- uses: actions/[email protected]
+ uses: actions/[email protected]

which is not a valid version in the repo or marketplace.

Please have a look at the current failing action as an example. But it also failed already earlier when the version was still v2

I appreciate any help/hints/work-arounds.

It would be nice to have optional fields for adding team reviewers/user reviewers on the PR that is generated by this action. This way we would also be notified of any newly opened PR due to this action.
I am trying to implement this for our openedX repos here in this PR: openedx/edx-platform#31170 and this feature would unblock me on this PR.

Hello, I'm trying to figure out if I can use this actions to only update files locally and then use different action for creating PR

I have similar workflow for updating pre-commit version update, with less permissions and it works just fine

Desired workflow:

permissions:
  pull-requests: write
  contents: read

jobs:
  auto-update:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
            
      - name: Run GitHub Actions Version Updater
        uses: saadmk11/[email protected]
        with:
          skip_pull_request: true

      - uses: peter-evans/create-pull-request@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: update/github-actions
          title: "chore: update github actions to latest version"
          commit-message: "chore: update github action"
          body: Update versions of github actions to latest version.

Hi,

I just tested it and have the following message:

Warning: Could not create a pull request on Squidex/squidex, status code: 404

https://github.com/Squidex/squidex/actions/runs/3260603775/jobs/5354281561

github/codeql-action#1561 (comment) indicates that we shouldn’t look at “releases” for CodeQL.

Could you please add a workaround to the GHA version updater that handles github/codeql-action/* specially?

Thanks!

Looking at this run I see…

Checking ".github/workflows/vm-slowlartus.yml" for updates
  Checking "vmactions/solaris-vm" for updates...
  Found new version for "vmactions/solaris-vm"
  Updating "vmactions/[email protected]" with "vmactions/[email protected]"...
  Found new version for "actions/checkout"
  Updating "actions/[email protected]" with "actions/[email protected]"...

… but no PR is produced.

I recently discovered this action and considered using it in my own projects.

For now, it seems to always generate a pull request if there are changes. While this is perfectly fine for most use cases, I would like to use this as a check only, id est an action which reports the corresponding action versions to update inside each workflow and fails if there are updates, without creating a corresponding pull request.

With the current updater class, this seems to be tricky: I would either have to subclass this in some code of mine and overwrite the complete run method - or monkey-patch at least create_pull_request.

Is there any chance of providing some sort of "dry run" mode natively, which just performs the check instead of sending a pull request as well?

Hi and thanks for this useful action. I just got it working and it does exactly what I wanted.

I did have a slight stumbling block though which is that I initially tried to use GitHub's new "fine grained" access token feature which allows limiting the access of the secret to a single repo:
https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

With the fine grained token it seems that "workflow" scope is not enough and the workflow failed to push to a branch in the repo:

Create New Branch (refs/heads/main -> gh-actions-update-1677328662)
Commit Changes
  
  [gh-actions-update-167732[86](https://github.com/oscarbenjamin/protosym/actions/runs/4270016606/jobs/7433570757#step:4:95)62 ff18142] Update GitHub Action Versions
   4 files changed, 11 insertions(+), 11 deletions(-)
  
  Error: remote: Permission to oscarbenjamin/protosym.git denied to oscarbenjamin.
  fatal: unable to access 'https://github.com/oscarbenjamin/protosym/': The requested URL returned error: 403

https://github.com/oscarbenjamin/protosym/actions/runs/4270016606/jobs/7433570757

I was able to fix this by using a "classic" token with workflow scope. I would prefer to use a fine grained token but it is not clear what permissions I would need to give to that token when looking through the list of options.

There does not seem to be any mention of this in the README so I was wondering if you know what the scope for a fine grained token should be.

I would like to stay with @V3, @v4 and so on. Would be great to only suggest these changes. I do not need a PR for an upgrade from v3.2.11 to v3.2.12 for example.

Perhaps a mode with "MAJOR", "MINOR", "FULL"?

saadmk11/[email protected]

YML file is the standard one - first in README.MD, with changed actions/checkout to @v4:

Error and warnings:

Hi!
I'm currently trying to implement your workflow in voxpupuli/vox-pupuli-tasks#479

from the workflow config:

  github-action-updater:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        token: ${{ secrets.SAADMK11_GITHUB_ACTIONS_VERSION_UPDATER_VPT }}
    - name: GitHub Actions Version Updater
      uses: saadmk11/[email protected]
      with:
        token: ${{ secrets.SAADMK11_GITHUB_ACTIONS_VERSION_UPDATER_VPT }}

This fails with:

Create New Branch
  error: pathspec 'refs/pull/479/merge' did not match any file(s) known to git
  Switched to a new branch 'gh-actions-update-1655896430'
  [gh-actions-update-1655896430 7cbc18e] Update GitHub Action Versions
   3 files changed, 14 insertions(+), 14 deletions(-)
  To https://github.com/voxpupuli/vox-pupuli-tasks
   ! [remote rejected] gh-actions-update-1655896430 -> gh-actions-update-1655896430 (shallow update not allowed)
  error: failed to push some refs to 'https://github.com/voxpupuli/vox-pupuli-tasks'
Create Pull Request
  Warning: Could not create a pull request on voxpupuli/vox-pupuli-tasks, status code: [422]

and a couple of questions:

• Does the token for actions/checkout@v2 actually needs the workflow scope?
• The action is marked as successful, even when the push failed. I think that should be changed?

While it was checking updates for an action, it just failed without any warning

Version: v0.7.4

Hi,

do you have an idea why the updater does not run when scheduled:
https://github.com/Squidex/squidex/actions/workflows/check-updates.yml

Seems that only manual runs actually work.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

might be worth mentioning in the readme?

I have around 20 repositories where I use your package.

When I do not check the repository for a while, I sometimes have 5-6 PRs. Would be nice to have a flag to automatically delete the old pull requests.

Hi!

First of all thanks for writing this action and making it publicly available. 👍

I'm trying to make it to work, however for me it always fails at the Create New Branch stage, and unfortunately I can't see the reason for that from the output:

Create New Branch (refs/heads/main -> gh-actions-update-1669032900)
  Error: Note: checking out 'refs/heads/main'.
  
  You are in 'detached HEAD' state. You can look around, make experimental
  changes and commit them, and you can discard any commits you make in this
  state without impacting any branches by performing another checkout.
  
  If you want to create a new branch to retain commits you create, you may
  do so (now or later) by using -b with the checkout command again. Example:
  
    git checkout -b <new-branch-name>
  
  HEAD is now at 3acfbc3 Set explicit permissions in update gh actions workflow
  
  This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting '.git/hooks/post-checkout'.

Using version 0.7.1.

I did try to disable Git LFS (even though doesn't seem like that would be a problem), with the same results.

Any hints?

Thanks

Hello,

I ran the composite action updater and I noticed the tool proposed to update the action "azure/login" to the version v1.4.6 although the version was already the last v1.4.7
So It is proposing a downgrade because from v1.4.7 to v1.4.6

Regards
Hme

I am using this action as follows:

- uses: saadmk11/[email protected]
  with:
    commit_message: "chore: update github action versions"
    pull_request_title: "chore: update github action versions"
    token: ${{ secrets.WORKFLOW_SCOPED_ACCESS_TOKEN }}

It gives the following warning:

Unexpected input(s) 'commit_message', 'pull_request_title', valid inputs are ['entryPoint', 'args', 'committer_username', 'committer_email', 'ignore', 'token']

And I get the default pull request title and commit message instead.

There seems to be something off with resolving the actual version changes:

Found new version for "actions/checkout"
  Updating "actions/checkout@v3" with "actions/[email protected]"
  Found new version for "saadmk11/github-actions-version-updater"
  Updating "saadmk11/github-actions-version-updater@main" with "saadmk11/[email protected]"
  Found new version for "actions/setup-python"
  Updating "actions/setup-python@v4" with "actions/[email protected]"

The specific issues I see here:

• v2.5.0 is considered more recent than version v3 for actions/checkout.
• v0.5.6 is considered more recent than main, although main references the latest unreleased code from the default branch.
• v4.3.0 is being proposed for the short syntax v4, although I would assume that v4 will always use the latest release of the v4 major version (currently being v4.3.0 for actions/setup-python). I am not sure about this though, as I could not find any information on which version is being picked by GitHub Actions in this case.

When using release-commit-sha, it would be helpful to be able to see what the corresponding release tag is. Changing from one SHA to another isn't immediately human-meaningful, but seeing a tag go from something like 0.3.1 to 1.0.0 is very human-meaningful:

Before:

-      - uses: actions/checkout@8f4b7f848...
+      - uses: actions/checkout@8e5e7e5ab...

After:

-      - uses: actions/checkout@8f4b7f848...  # 0.3.1
+      - uses: actions/checkout@8e5e7e5ab...  # 1.0.0

I think the tag names must already be known when using release-commit-sha, they're just not getting included in the changes to the yaml, so hopefully this would be easy to implement?

Thanks for your consideration and for maintaining this useful action!

When running this action, the workflows fails, even if there's no evident error and all the actions are checked:

The job is configured like this:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
        with:
          # Access token with `workflow` scope is required
          token: ${{ secrets.ACTION_GITHUB_TOKEN }}

      - name: Run GitHub Actions Version Updater
        uses: saadmk11/[email protected]
        with:
          # Optional, This will be used to configure git
          # defaults to `github-actions[bot]` if not provided
          #committer_username: 'test'
          #committer_email: '[email protected]'
          # Optional, allows customizing the commit message and pull request title
          # Both default to 'Update GitHub Action Versions'
          commit_message: 'Github Actions versions have changed'
          pull_request_title: 'Github Actions versions have changed'
          # Access token with `workflow` scope is required
          token: ${{ secrets.ACTION_GITHUB_TOKEN }}
          release_types: major

Some action developers seem to put multiple actions into separate directories inside one repository: Example: flatpak-github-actions.

As this works with GitHub Actions, it would be nice to also be able to get update notifications for them.

Please see this PR

It lists 2 actions that have new versions but does not include the version bump in the PR code changes

The 2 actions are

google-github-actions/auth@v0
google-github-actions/deploy-cloudrun@v0

And they should have been set to

google-github-actions/[email protected]
google-github-actions/[email protected]

So that I can do manual upgrades, thanks!

Similar to #49

It runs fine on the github's runner but seem to fail on a self hosted runner

We are using 0.7.4 version

The actions were working correctly, and during the last run the error "fatal : not in a git directory" appeared.

The faulty run:
https://github.com/jmlemetayer/project-release/actions/runs/3699984553/jobs/6267948063

The last modification of the workflow was the update of the "actions/checkout" to v3.2.0 (done by the github-actions-version-updater):
jmlemetayer/project-release@a0a4dfd

We are currently using GitHub's API (which always returns .github/workflows/*.y(a)ml files) to find the workflow locations, This works in most cases but if a repository has workflow files in different locations then those files are not checked.

Originally Posted By: @villelahdenvuo
Ref: #29

for iterating the workflow files.
By default it will look in .github/workflows/*.y(a)ml for files.

Not my code, but I'm using this fork because I have some workflows in different folders that I would also like to keep up to date, but the fork is lacking the latest updates.

This seems like a fairly standard practice for GitHub Actions that create issues and PRs for you so I was surprised to find this wasn't an option here. We've got a couple of very PR-heavy repos so being able to add labels like "automated" and "dependencies" is very helpful for filtering bot-generated PRs from ones created by humans, especially for reminders and notifications.

Since composite actions are a alternative method to make the workflows more reusable, i think it would be good to add a way to check if the actions defined within have a new version.

Today, a composite action can be defined in two ways:

• In a public repository
  Then, can be used in a workflow like another Github Action in the marketplace (ex: uses: actions/checkout@v3). For this case, the version updater will work without problems.

• In a private repository
  For this case, you need to checkout the repo that contains the composite action using a PAT token. Then in the step, the action need be specified specified without the version (@x.x.x). The version of the composite action is determined by the ref input of the checkouted step of the composite action repo.

The problem is, in both cases, there is no way to check the versions of the actions used in the composite actions. Our projects uses a lot of these composite actions in the workflows. We used this approach because Github Actions does not support using reusable workflows from private repositores, only composite actions. There is a way to add this feature? Maybe scan the composite action file, instead of the workflow itself...

Thanks in advance.