Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local actions in .github/actions/ are not checked #6345

Open
1 task done
benoitchantre opened this issue Dec 20, 2022 · 8 comments
Open
1 task done

Local actions in .github/actions/ are not checked #6345

benoitchantre opened this issue Dec 20, 2022 · 8 comments
Labels
L: github:actions GitHub Actions T: bug 🐞 Something isn't working T: feature-request Requests for new features

Comments

@benoitchantre
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2

updates:

  • package-ecosystem: "github-actions"
    directory: "/"
    schedule:
    interval: "weekly"

Updated dependency

No response

What you expected to see, versus what you actually saw

When directory is set to "/", I expect that local actions located in .github/actions/ are also checked.

This is not the case.

You need to add a new item in the config file to allow Dependabot to check a specific action

  - package-ecosystem: "github-actions"
    directory: "/.github/actions/deployment-tools"
    schedule:
      interval: "weekly"

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response
@benoitchantre benoitchantre added the T: bug 🐞 Something isn't working label Dec 20, 2022
@jeffwidman jeffwidman added L: github:actions GitHub Actions T: feature-request Requests for new features labels Dec 22, 2022
@deivid-rodriguez
Copy link
Contributor

Hei @benoitchantre! Did you find .github/actions documented anywhere? I did find one mention at https://docs.github.com/en/actions/creating-actions/about-custom-actions#choosing-a-location-for-your-action, is that the advice you followed when you put your actions at a .github/actions folder?

@benoitchantre
Copy link
Author

Yes, the location I choosed was influenced by the documentation.

If you plan to combine action, workflow, and application code in a single repository, we recommend storing actions in the .github directory. For example, .github/actions/action-a and .github/actions/action-b.

Source: https://docs.github.com/en/actions/creating-actions/about-custom-actions#choosing-a-location-for-your-action

magni- added a commit to rainforestapp/github-action that referenced this issue Jan 25, 2023
@magni-
Add local actions to dependabot checks
5e439ea 
See dependabot/dependabot-core#6345
@magni- magni- mentioned this issue Jan 25, 2023
Merged
@deivid-rodriguez deivid-rodriguez mentioned this issue Mar 30, 2023
Closed
1 task
@deivid-rodriguez deivid-rodriguez mentioned this issue Sep 21, 2023
Closed
1 task
@Jason3S
Copy link

Jason3S commented Sep 21, 2023

Moving comment from:
#7495 (comment)

I have been running into the same issue.

I took a look at the code. It also looks for action.yml and action.yaml in the directory specified. Which means, there is workaround, a bit painful, but it works.

.github/dependabot.yml

  - package-ecosystem: "github-actions"
    # Workflow files stored in the
    # default location of `.github/workflows`
    directory: "/.github/actions/a_reusable_workflow"
    schedule:
      interval: "daily"

It means you will need to add an entry in dependabot.yml for every single .github/actions folder.

@deivid-rodriguez

The change to add support for scanning .github/actions does not look too bad. Should we look for just action.*(yaml|yml) files or all *.(yaml|yml) files in .github/actions?

dependabot-core/github_actions/lib/dependabot/github_actions/file_fetcher.rb

Lines 48 to 67 in 0997935

def workflow_files
return @workflow_files if defined? @workflow_files
@workflow_files = []
# In the special case where the root directory is defined we also scan
# the .github/workflows/ folder.
if directory == "/"
@workflow_files += [fetch_file_if_present("action.yml"), fetch_file_if_present("action.yaml")].compact
workflows_dir = ".github/workflows"
else
workflows_dir = "."
end
@workflow_files +=
repo_contents(dir: workflows_dir, raise_errors: false)
.select { |f| f.type == "file" && f.name.match?(/\.ya?ml$/) }
.map { |f| fetch_file_from_host("#{workflows_dir}/#{f.name}") }
end

@deivid-rodriguez
Copy link
Contributor

I guess just action.ya?ml for now? It seems that's the documented name at https://docs.github.com/en/actions/creating-actions/about-custom-actions#types-of-actions.

hankei6km added a commit to hankei6km/gha-now-to-sheet that referenced this issue Oct 11, 2023
@hankei6km
chore: Add a action directory to "dependabot.yml"
ac31493 
- dependabot/dependabot-core#6704
- dependabot/dependabot-core#6345
@hankei6km hankei6km mentioned this issue Oct 11, 2023
Merged
@jprinet jprinet mentioned this issue Feb 19, 2024
Merged
@yk-kd yk-kd mentioned this issue Jun 17, 2024
Open
1 task
@ia0
Copy link

ia0 commented Jul 22, 2024

Any update on this? The workaround is particularly annoying because it seems using a glob doesn't work:

  - package-ecosystem: "github-actions"
    directories:
      - "/.github/workflows"
      - "/.github/actions/*"

@ssbarnea ssbarnea mentioned this issue Sep 18, 2024
Closed
@ssbarnea
Copy link

The problem is that the actions schema is different enough from the workflows ones. They share a lot of similarities but they are not compatible. The code needs to be able to read and update both.

@ia0
Copy link

ia0 commented Sep 18, 2024

The problem is that the actions schema is different enough from the workflows ones. They share a lot of similarities but they are not compatible. The code needs to be able to read and update both.

I don't think this is the problem of this issue. This issue is about needing to be explicit about local action paths. If the problem was a schema issue, then it shouldn't work to check local actions at all, regardless of how they are specified (which was #4327).

@Jason3S
Copy link

Jason3S commented Sep 19, 2024

There is a work around as described above.
I wrote an action that will update the .github/dependabot.yml file to include files found in .github/actions: https://github.com/streetsidesoftware/actions/tree/main/public/update-dependabot-github-actions

Here is an example of where it is used: https://github.com/streetsidesoftware/cspell-dicts/blob/main/.github/workflows/update-dependabot.yml

juhoinkinen added a commit to NatLibFi/Annif that referenced this issue Oct 2, 2024
@juhoinkinen
Make Dependabot update also custom prepare action
d47da00 
dependabot/dependabot-core#6345
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
L: github:actions GitHub Actions T: bug 🐞 Something isn't working T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ssbarnea @jeffwidman @ia0 @benoitchantre @deivid-rodriguez @Jason3S