Renovate: Add support to update action in GitHub Actions workflow
What would you like Renovate to be able to do?
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
I'd like to update actions in an GitHub Action workflow. In the example workflow (shortened) below the wagoid/commitlint-github-action can be updated to 1.6.0.
jobs:
commitlint:
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Lint commit messages
uses: wagoid/[email protected]
Describe the solution you'd like
I'd like the github-actions manager to create updates for action in GitHub Actions workflow.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Current alternative is to also add a regex manager (source).
{
...
regexManagers: [
{
fileMatch: ['^\\.github/workflows/[^/]+\\.ya?ml$'],
matchStrings: ['uses: (?<depName>.*?)@(?<currentValue>.*?)\\s'],
datasourceTemplate: 'github-tags',
},
],
...
}
Additional context
Add any other context or screenshots about the feature request here.
See discussions in https://github.com/renovatebot/config-help/issues/570 for this feature.
vidavidorra
All 20 comments
ikesyo
on 7 Apr 2020
@rarkins Could you add the new permission to the hosted GitHub App?
ikesyo
on 8 Apr 2020
@ikesyo can you first double check that our current github-actions manager is fully up to date with GitHub's latest syntax? I thought I'd wait until verifying that before asking for more permissions.
rarkins
on 8 Apr 2020
@rarkins Current github-actions manager partially supports the latest (YAML) syntax; only docker images https://github.com/renovatebot/renovate/blob/69fedcfcfd3f81141fa9b182e33e06f99b2d355e/lib/manager/github-actions/extract.ts#L15. To update actions on GitHub repo (e.g. uses: actions/checkout@v2), we need to use regex manager or update github-actions manager.
ikesyo
on 8 Apr 2020
@rarkins I think it's save to enable github-actions, we can update the manager later and use the regex manager for now.
@ikesyo Will you send a pr to update the github-actions manager?
viceice
on 8 Apr 2020
I've updated the app's permissions so that existing org admins will get a request to approve them. We need to make sure that we gracefully handle permission failures though.
- Today: The
git pushfails, which is problematic error - Better: Ignore the workflows push fail, keep going
- Best: Enable/disable the
github-actionsmanager based on whether we have permissions or not
rarkins
on 8 Apr 2020
ok, so currently users have to explicit enable the github-action manager for the app?
viceice
on 8 Apr 2020
Yes, until we're sure that we're handing the lack of permissions gracefully enough
rarkins
on 8 Apr 2020
Just for my understanding, with approved permission it should be possible to update action files with the regex manager?
I added the regex manager from above (slightly modified), but my run fails with "repository-changed".
Approved permissions: "Read and write access to actions, checks, commit statuses, issues, and pull requests"
Run ID: 194424030
regex manager config
"regexManagers": [ { "fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"], "matchStrings": ["uses: (?<depName>.*?)@(?<currentValue>.*?)\\s"], "datasourceTemplate": "github-tags", "versioningTemplate": "regex:^v(?<major>\\d+)(\\.(?<minor>\\d+)(\\.(?<patch>\\d+))?)?$" }
regex updates found during run
"regex": [ { "packageFile": ".github/workflows/default.yml", "manager": "regex", "deps": [ { "depName": "actions/cache", "currentValue": "v1", "datasource": "github-tags", "versioning": "regex:^v(?\\d+)(\\.(?\\d+)(\\.(?\\d+))?)?$", "replaceString": "uses: actions/cache@v1\n", "depIndex": 2, "updates": [ { "fromVersion": "v1", "toVersion": "v1.2.0", "newValue": "v1.2.0", "newMajor": 1, "newMinor": 2, "updateType": "minor", "isSingleVersion": true }, { "fromVersion": "v1", "toVersion": "v2.0.0", "newValue": "v2.0.0", "newMajor": 2, "newMinor": 0, "updateType": "major", "isSingleVersion": true } ], "warnings": [], "sourceUrl": "https://github.com/actions/cache" } ...
run error during commiting files
DEBUG: Error commiting files(branch="renovate/actions-cache-1.x") { "err": { "message": "To https://**redacted**@github.com/<USER>/<REPO>.git'\n", "stack": "Error: To https://**redacted**@github.com/<USER>/<REPO>.git'\n\n at toError (/home/ubuntu/renovateapp/node_modules/simple-git/promise.js:90:14)\n at /home/ubuntu/renovateapp/node_modules/simple-git/promise.js:61:36\n at Git. (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:937:21)\n at Function.Git.fail (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1475:18)\n at fail (/home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1433:20)\n at /home/ubuntu/renovateapp/node_modules/simple-git/src/git.js:1442:16\n at runMicrotasks ()\n at processTicksAndRejections (internal/process/task_queues.js:97:5)" } } DEBUG: Passing repository-changed error up(branch="renovate/actions-cache-1.x") INFO: Repository has changed during renovation - aborting
Am I doing something wrong? 馃
fabianbru
on 26 Jun 2020
Unfortunately GitHub still block apps if the Actions change is made via git instead of API.
rarkins
on 26 Jun 2020
@rarkins Is that so? I am new to this issue but quickly checked if Dependabot supports this feature and it seems so, so I assume RenovateBot should be able to achieve this as well. Of course, unless Github keeps this API exclusive to their dependency manager
mrlubos
on 28 Aug 2020
Renovate app now has permission to update github workflows, but it's missing some manager features.
Renovate can currently only update uses: docker:xxx actions.
As a workaround you can use regexManagers:
renovate.json
...
"regexManagers": [
{
"fileMatch": ["^\\.github/workflows/[^/]+\\.ya?ml$"],
"matchStrings": ["uses: (?<depName>[a-z-/]+?)@(?<currentValue>.+?)\\s"],
"datasourceTemplate": "github-tags"
}
]
...
@mrlubos it's unblocked now actually. The challenge was that we use git to push our changes to GitHub while Dependabot uses the API. The git flow does not follow the exact same path as API so there can be unintentional differences at times (it's not about GitHub benefiting their own app deliberately).
rarkins
on 28 Aug 2020
This is up for grabs right? I might be interested in taking a swing.
RichiCoder1
on 9 Oct 2020
@RichiCoder1 it's all yours!
rarkins
on 9 Oct 2020
Is there a way/pattern in renovate to track tags but pin to a commit kind like in docker? I know it's pretty common for use to track tags, but pin to a commit to avoid tag-shifting issues.
(Also just generally any advice?)
RichiCoder1
on 9 Oct 2020
@RichiCoder1 can you give an example of what you mean? I'm not sure the actions syntax allows both a tag as well as a SHA, so if we were to support that then we may need to invent part of the syntax ourselves.
Also for this issue I suggest you start with basic updating before progressing to anything advanced like pinning.
rarkins
on 9 Oct 2020
Sounds good!
RichiCoder1
on 9 Oct 2020
can you give an example of what you mean? I'm not sure the actions syntax allows both a tag as well as a SHA, so if we were to support that then we may need to invent part of the syntax ourselves.
That's fair. It doesn't, hence why I asked if something like that already existed.
RichiCoder1
on 9 Oct 2020
:tada: This issue has been resolved in version 23.55.0 :tada:
The release is available on:
- GitHub release
23.55.0
Your semantic-release bot :package::rocket:
renovate-release
on 20 Oct 2020
Related issues
ChristianMurphy
路
4Comments
jeromelachaud
路
3Comments
hutson
路
3Comments
ghost
路
3Comments
Flydiverny
路
4Comments
Most helpful comment
This is up for grabs right? I might be interested in taking a swing.