We have an action to automatically apply migration scripts based on dependabot updates, and lately we've seen that when a PR is created to update to version X, but then updated to update to version Y, then this action gets the metadata for version X instead of Y.
See:
Run logs fragment:
Run dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98
with:
github-token: ***
skip-commit-verification: false
skip-verification: false
Parsing Dependabot metadata
Outputting metadata for 1 updated dependency
outputs.dependency-names: frequenz-repo-config
outputs.dependency-type: direct:development
outputs.update-type: version-update:semver-minor
outputs.directory: /
outputs.package-ecosystem: pip
outputs.target-branch: v0.x.x
outputs.previous-version: 0.16.0
outputs.new-version: 0.17.0
outputs.compatibility-score: 0
outputs.maintainer-changes: false
outputs.dependency-group: repo-config
outputs.alert-state:
outputs.ghsa-id:
outputs.cvss: 0
PR body at the time the action ran
Bumps the repo-config group with 1 update in the / directory: frequenz-repo-config.
Updates frequenz-repo-config from 0.16.0 to 0.18.0
Release notes
Sourced from frequenz-repo-config's releases.
v0.18.0
Frequenz Repository Configuration Release Notes
Summary
This release focuses on finishing the automation of dependabot updates, adding more automated upgrade workflows and fixing some problems with the previous release.
Upgrading
Cookiecutter template
All upgrading should be done via the migration script or regenerating the templates.
curl -sSLf https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/<tag>/cookiecutter/migrate.py | python3 -I
New Features
Cookiecutter template
- The cookiecutter now asks whether a repository is private, defaults that answer from the selected license, and uses it to toggle private-repository workflow behavior, public publishing jobs, and the link to GitHub Discussions in the issue template chooser.
- All dependencies have been updated in the templates.
- API projects now ship a dedicated
grpc-migration.yaml workflow that runs after Dependabot bumps grpcio/grpcio-tools/protobuf and rewrites the matching runtime >= floors in pyproject.toml.
- API projects now have a better grpcio/protobuf updates grouping in Dependabot, which should make upgrading easier, and plays nicer with the new
grpc-migration.yaml workflow.
- API projects should now use the new API-specific Protect version branches ruleset variant, which includes the required
Fix gRPC/protobuf runtime floors check without affecting non-API Python projects.
- Workflows using the
gh-action-dependabot-migrate are upgraded to the latest version, which avoids unnecessary version iterations.
- Add an
isort-migration.yaml workflow that automatically reorders imports when Dependabot upgrades isort.
Bug Fixes
Cookiecutter template
- The unused cross-arch QEMU-based testing infrastructure has been removed. The
.github/containers/nox-cross-arch/ and .github/containers/test-installation/ directories, as well as the "Cross-Arch Testing" section in CONTRIBUTING.md.
- Private repositories now are generated with credentials uncommented and the publishing workflows disabled.
- The issue template chooser (
config.yml) no longer includes the contact_links section for private repositories, since GitHub Discussions are typically disabled for them.
- Normalized the GitHub Action hashes for
gh-action-setup-git and gh-action-setup-python-with-deps to point to the actual commit object, which is what Dependabot expects.
- API projects now configure black with
extend-exclude = '^/submodules/' so the formatting check doesn't descend into external git submodules that don't follow our formatting rules.
- API projects now configure isort with
skip_glob = ["submodules/*"] so the import-sorting check doesn't descend into external git submodules that don't follow our rules.
CONTRIBUTING.md
- Fixed the nox example commands in to use the correct
tests/ directory instead of the non-existent test/ directory.
- Fixed the wrong mention to PyPI publishing when releasing for private repositories.
What's Changed
... (truncated)
Commits
9536002 Update template versions and prepare the v0.18.0 release (#590)
0851215 Prepare release notes for v0.18.0
bee542d template: Bump dependencies
80402d2 build(deps): bump the compatible group with 2 updates (#589)
df8ba24 build(deps): bump the compatible group with 2 updates
e5f4e39 Add isort dependabot auto-migration workflow (#585)
3afcb70 Update release notes
e86009b Add isort submodules migration step
22be0ee template: Make isort exclude submodules from API projects
a459500 isort: Exclude golden tests
- Additional commits viewable in compare view
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
We have an action to automatically apply migration scripts based on dependabot updates, and lately we've seen that when a PR is created to update to version X, but then updated to update to version Y, then this action gets the metadata for version X instead of Y.
See:
Run logs fragment:
PR body at the time the action ran
Bumps the repo-config group with 1 update in the / directory: frequenz-repo-config.
Updates
frequenz-repo-configfrom 0.16.0 to 0.18.0Release notes
Sourced from frequenz-repo-config's releases.
... (truncated)
Commits
9536002Update template versions and prepare the v0.18.0 release (#590)0851215Prepare release notes for v0.18.0bee542dtemplate: Bump dependencies80402d2build(deps): bump the compatible group with 2 updates (#589)df8ba24build(deps): bump the compatible group with 2 updatese5f4e39Addisortdependabot auto-migration workflow (#585)3afcb70Update release notese86009bAdd isort submodules migration step22be0eetemplate: Make isort exclude submodules from API projectsa459500isort: Exclude golden tests