Skip to content

Updated PRs seem to resolved old metadata #728

Description

@llucax

We have an action to automatically apply migration scripts based on dependabot updates, and lately we've seen that when a PR is created to update to version X, but then updated to update to version Y, then this action gets the metadata for version X instead of Y.

See:

Run logs fragment:

Run dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98
  with:
    github-token: ***
    skip-commit-verification: false
    skip-verification: false
Parsing Dependabot metadata
Outputting metadata for 1 updated dependency
  outputs.dependency-names: frequenz-repo-config
  outputs.dependency-type: direct:development
  outputs.update-type: version-update:semver-minor
  outputs.directory: /
  outputs.package-ecosystem: pip
  outputs.target-branch: v0.x.x
  outputs.previous-version: 0.16.0
  outputs.new-version: 0.17.0
  outputs.compatibility-score: 0
  outputs.maintainer-changes: false
  outputs.dependency-group: repo-config
  outputs.alert-state: 
  outputs.ghsa-id: 
  outputs.cvss: 0

PR body at the time the action ran

Bumps the repo-config group with 1 update in the / directory: frequenz-repo-config.

Updates frequenz-repo-config from 0.16.0 to 0.18.0

Release notes

Sourced from frequenz-repo-config's releases.

v0.18.0

Frequenz Repository Configuration Release Notes

Summary

This release focuses on finishing the automation of dependabot updates, adding more automated upgrade workflows and fixing some problems with the previous release.

Upgrading

Cookiecutter template

All upgrading should be done via the migration script or regenerating the templates.

curl -sSLf https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/<tag>/cookiecutter/migrate.py | python3 -I

New Features

Cookiecutter template

  • The cookiecutter now asks whether a repository is private, defaults that answer from the selected license, and uses it to toggle private-repository workflow behavior, public publishing jobs, and the link to GitHub Discussions in the issue template chooser.
  • All dependencies have been updated in the templates.
  • API projects now ship a dedicated grpc-migration.yaml workflow that runs after Dependabot bumps grpcio/grpcio-tools/protobuf and rewrites the matching runtime >= floors in pyproject.toml.
  • API projects now have a better grpcio/protobuf updates grouping in Dependabot, which should make upgrading easier, and plays nicer with the new grpc-migration.yaml workflow.
  • API projects should now use the new API-specific Protect version branches ruleset variant, which includes the required Fix gRPC/protobuf runtime floors check without affecting non-API Python projects.
  • Workflows using the gh-action-dependabot-migrate are upgraded to the latest version, which avoids unnecessary version iterations.
  • Add an isort-migration.yaml workflow that automatically reorders imports when Dependabot upgrades isort.

Bug Fixes

Cookiecutter template

  • The unused cross-arch QEMU-based testing infrastructure has been removed. The .github/containers/nox-cross-arch/ and .github/containers/test-installation/ directories, as well as the "Cross-Arch Testing" section in CONTRIBUTING.md.
  • Private repositories now are generated with credentials uncommented and the publishing workflows disabled.
  • The issue template chooser (config.yml) no longer includes the contact_links section for private repositories, since GitHub Discussions are typically disabled for them.
  • Normalized the GitHub Action hashes for gh-action-setup-git and gh-action-setup-python-with-deps to point to the actual commit object, which is what Dependabot expects.
  • API projects now configure black with extend-exclude = '^/submodules/' so the formatting check doesn't descend into external git submodules that don't follow our formatting rules.
  • API projects now configure isort with skip_glob = ["submodules/*"] so the import-sorting check doesn't descend into external git submodules that don't follow our rules.
  • CONTRIBUTING.md
    • Fixed the nox example commands in to use the correct tests/ directory instead of the non-existent test/ directory.
    • Fixed the wrong mention to PyPI publishing when releasing for private repositories.

What's Changed

... (truncated)

Commits
  • 9536002 Update template versions and prepare the v0.18.0 release (#590)
  • 0851215 Prepare release notes for v0.18.0
  • bee542d template: Bump dependencies
  • 80402d2 build(deps): bump the compatible group with 2 updates (#589)
  • df8ba24 build(deps): bump the compatible group with 2 updates
  • e5f4e39 Add isort dependabot auto-migration workflow (#585)
  • 3afcb70 Update release notes
  • e86009b Add isort submodules migration step
  • 22be0ee template: Make isort exclude submodules from API projects
  • a459500 isort: Exclude golden tests
  • Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions