Dependabot-core: Update documentation for GitHub Actions

@imbsky thanks for raising this, we've currently disabled actions support due to a bug that prevented Apps from modifying the workflow file, but might be able to re-enable now that it's fixed.

Oh, I see!

@feelepxyz When re-enable actions support, could you please update documentation and close this issue?

@imbsky it's still a work in progress so not won't create any PRs yet. Hopefully we'll get this wrapped up in the next month or so.

Great!

Is this still disabled?

@imbsky yeah sadly! There's new app permission that needs to be added which hasn't been prioritised yet. Waiting for an update on it.

Okay, I'll wait.

Any updates?

@imbsky I'm chasing internally. Still need the new app permission to be deployed.

@feelepxyz I'm both an Actions user and an outside contributor who has made some improvements, if Actions is supported by Dependabot, I don't have to manually create a lot of PR, so could you to enable it as soon as possible? I don't want to bother you, but please.

We're waiting on an internal change to actions allowing any app to edit workflow files. It's not specific to Dependabot.

Oh, I see. That sounds to take some time.

🎉 https://github.blog/changelog/2020-04-07-github-apps-workflow-permission/

The correct URL is https://github.blog/changelog/2020-04-07-github-apps-workflow-permission/ 🎉

It seems like something is still wrong. I have github_actions enabled, but it is not creating pull requests yet. I see in dependabot logs that it finds newer versions for actions though.

This is not yet enabled. So nothing is wrong, but I hope it will be enabled asap.

We've just launched a beta of Dependabot natively integrated into GitHub that supports updating Actiosn workflow files: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

Config file docs: https://help.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

FYI - the new version currently doesn't support private git dependencies. We're working on adding this over the next few months.

It works! Great 🎉

https://github.com/peaceiris/actions-gh-pages/pull/334

I will leave my feedback. (I do not know whether here is the right place for feedback or not.)

Please detect pre-release and do not bump it

The actions/[email protected] is a beta version (pre-release). We need a useful filter for not bumping it.

open-pull-requests-limit does not work

I set open-pull-requests-limit: 1 like the following but the dependabot has opened the two pull-requests at the same time.

• https://github.com/peaceiris/actions-gh-pages/pull/334
• https://github.com/peaceiris/actions-gh-pages/pull/333

- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "daily"
  open-pull-requests-limit: 1
  labels:
  - "dependencies:ci"
  commit-message:
    prefix: ci

https://github.com/peaceiris/actions-gh-pages/blob/65dc7af0847a52d3e8dfa56f3f64dcb0acf6032f/.github/dependabot.yml#L28

@feelepxyz I don't see Security & analysis tab on Settings from repositories I own and have dependabot-preview (as mentioned in @infin8x post https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/):

@peaceiris nice one, will take a look at the open pull request limit not being honoured.

Please detect pre-release and do not bump it

Yep, it's on our list of improvements. Will see what metadata we can get from tags.

@staticdev ah yes this page hasn't been fully rolled out yet. You can enable it from the Security tab on the repository under Dependabot alerts > Dependabot Security Updates.

@feelepxyz I've enabled Security Updates in 3 public repos of mine, then I entered dependabot.com and selected Update config file and it didn't work. When I click it again I see the message: Something went wrong when creating your Pull Request. Try again or contact support.. None of them worked.

@staticdev thanks for reporting, looks like we've tried to generate an invalid config file. Will take a look at fixing this tomorrow 👌

@feelepxyz if you want the repos to check:

• https://github.com/staticdev/pdf-split-tool
• https://github.com/staticdev/toml-validator
• https://github.com/staticdev/django-sorting-bootstrap

I also saw in the post that the file location (.github/dependabot.yml) is different from the path I've been using with dependabot-preview (.dependabot/config.yml).

Thanks for reporting this @staticdev, we've fixed some issues and I _think_ you should be able to upgrade now, could you try again?

@jurre Good news! Dependabot could now create the pull requests, and changed the name/path of dependabot config file.

One strange thing I noticed is that, all of the repositories I tested gave me this warning:
"You're using unsupported features

The new version does not yet support private git dependencies. If you use these we recommend leaving Dependabot Preview active."

I am curious to know what unsupported features since I am not using private repositories...

You should be all good in that case 👍 we can't detect if the git dependencies you're using are private or not, so if you're using any git dependencies we show that warning. I'll think about the wording if we can make that more clear

@feelepxyz I have 3 other questions regarding this new config, maybe you could help me out:

• Can the open-pull-requests-limit setting be omitted, to go with the default?
• Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.
• Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Thanks again.

• Can the open-pull-requests-limit setting be omitted, to go with the default?

Yup, the default is 5

Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.

This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Yup, this is broken with the updated and we're tracking this here: https://github.com/dependabot/feedback/issues/968

• Can the open-pull-requests-limit setting be omitted, to go with the default?

Yup, the default is 5

Any way to avoid hardcoding schedule.time? What is this based on, anyway? I got different times when upgrading projects.

This should be set from your account settings in your dependabot dashboard. You can omit it and the default 5am UTC will be used.

Do you know why dependabot badge now shows inactive on upgraded projects? Eg. here. Is this a bug?

Yup, this is broken with the updated and we're tracking this here: dependabot/feedback#968

Thanks again!!

Closing this as the original issue (lack of github_actions documentation) is fixed: https://help.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot