Directly maintain template workflow dependencies via Dependabot #291
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dependabot supports managing GitHub Actions action dependencies of workflows. In addition to the workflows used in the repository's own infrastructure, this system was also used to maintain the dependencies of the "template" workflows. At the time it was set up, Dependabot had an inconvenient behavior where workflows were expected to be found in the `.github/workflows/` subfolder of the path specified via the `directory` key of the `dependabot.yml` configuration file. This meant it was not possible to directly scan the workflows in the `workflow-templates` folder. The workaround was to put a set of copies in `workflow-templates/dependabot/workflow-template-copies/.github/workflows/`. The Dependabot PRs proposing to update those workflows when an outdated action dependency was detected were not merged, but instead used as a notification of available updates for the source workflows in `workflow-templates`. A change in Dependabot in spring of 2022 caused the template maintenance system to stop working. That bug has been fixed. Along with the fix, the odd system of not looking for workflows in the folder specified via the `directory` key was dropped, which means it is now possible to use Dependabot to directly maintain the workflow templates, making the duplicates no longer necessary.
Dependabot supports managing GitHub Actions action dependencies of workflows. Previously, Dependabot had an unintuitive behavior where workflows were expected to be found in the `.github/workflows/` subfolder of the path specified via the `directory` key of the `dependabot.yml` configuration file, meaning that if you want Dependabot to check the workflows at `/.github/workflows/`, you had to set `directory: /`. This odd requirement has now been dropped. Even though backwards compatibility has been provided for `directory: /` specifically, I think the configuration file is easier to understand with the full path to the workflows set, especially in repositories (such as this one) where workflows are also present in another path.
per1234
added
type: imperfection
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot supports managing GitHub Actions action dependencies of workflows. In addition to the workflows used in the repository's own infrastructure, this system is also used to maintain the dependencies of the "template" workflows.
At the time it was set up, Dependabot had an inconvenient behavior where workflows were expected to be found in the
.github/workflows/subfolder of the path specified via thedirectorykey of thedependabot.ymlconfiguration file. This meant it was not possible to directly scan the workflows in theworkflow-templatesfolder. The workaround was to put a set of copies inworkflow-templates/dependabot/workflow-template-copies/.github/workflows/. The Dependabot PRs proposing to update those workflows when an outdated action dependency was detected were not merged, but instead used as a notification of available updates for the source workflows inworkflow-templates.A change in Dependabot in spring of 2022 caused the template maintenance system to stop working (dependabot/dependabot-core#5047). That bug has been fixed (dependabot/dependabot-core#6189). Along with the fix, the odd system of not looking for workflows in the folder specified via the
directorykey was dropped (dependabot/dependabot-core#6189 (comment)), which means it is now possible to use Dependabot to directly maintain the workflow templates, making the duplicates no longer necessary.I set up a demonstration of this PR by putting the changes proposed here in place in my fork and downgrading action dependencies in the workflows there to trigger Dependabot PRs:
/.github/workflows/: https://github.com/per1234/tooling-project-assets/pull/3/workflow-templates/: https://github.com/per1234/tooling-project-assets/pull/2Fixes #224