Github-actions attempts to upgrade from @X to @X.Y.Z

[FredrikM97]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      default-days: 4

Updated dependency

Internal library in organization.

What you expected to see, versus what you actually saw

Hi!

We have a private library under organization/our-lib. We release vX.Y.Z versions and a vX tag that we move to the commit of latest release vX.Y.Z.

Our releases look like:

release	tags	release date
v1.5.0	(tag: v1)	released yesterday
v1.4.0	-	released 1 week ago
v1.3.0	-	current version

In the past few days dependabot opens PR:s to bump v1 to v1.4.0. I think it is related to #14621 which suggests older release (v1.4.0) that is outside cooldown window.

Dependabot now matches older releases and does not take v1 version into consideration and instead attempts to update from v1 -> v1.4.0. We expect it to ignore the release and focus to check if the vX is outside the cooldown and not suggest to bump to vX.Y.Z release.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[thavaahariharangit]

This issue has been resolved in the following PR: #14734

Please check whether the problem still occurs. If it does, kindly recreate the issue in a public repository so I can investigate further.

[FredrikM97]

Hi!

Here is a minimal example:
https://github.com/FredrikM97/dependabot-test

For the test I took a random github-action dependency with frequent updates https://github.com/softprops/action-gh-release/tags.
Dependabot should not attempt to update when I use a vX tag but it opened a PR to move from vX -> v2.6.1.

I get a feeling that the vX is ignored even if it is newer than v2.6.1 since vX is within the cooldown while v2.6.1 is not. So per definition by the cooldown vX is not a valid version to keep?

[thavaahariharangit]

@FredrikM97

The cooldown functionality is behaving as intended — it selects the latest available version before the cooldown window.

For example if you mention default date as 35

Using your configuration as an example (35‑day default cooldown): https://github.com/FredrikM97/dependabot-test/blob/main/.github/dependabot.yml#L13
On today’s date, 21 April, the cutoff date becomes 17 March.

As of that date, the latest available release was 2.6.1 (released on 16 March):
https://github.com/softprops/action-gh-release/releases

Because of this, the PR Dependabot created is correct:
FredrikM97/dependabot-test#2

Documentation reference:
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-

Please let me know if I’ve misunderstood anything or if you’d like to explore this further.

[FredrikM97]

@thavaahariharangit

Hi!

The statement sounds correct. However, lots of repos use @vX on github-actions to avoid the need to update minor or patch releases (action-gh-release or checkout) is just a few of them. The github docs and here also suggest major versions is a good approach.

The recent changes on cooldown breaks major release tagging. Since vX is most likely a later release than what dependabot attempts to change it essentially mean that we are downgrading the action dependency.

This issue can be observed in dependabot-test where the v2 tag downloads Download action repository 'softprops/action-gh-release@v2' (SHA:3bb12739c298aeb8a4eeaf626c5b8d85266b0e65) which is the latest v2 release but dependabot suggests to download [153bb8e](https://github.com/softprops/action-gh-release/commit/153bb8e04406b158c6c84fc1615b65b24149a1fe) which is an older version of the action than what we already have. The older version does not have a v2 tag anymore since it is moved so it is impossible to use cooldown with major versions now?

Is this breaking change really reasonable to keep?

The expected behaviour with vX tags would be to create a PR from v2->v3 based on the cooldown but not create a PR for v2.X.Z since that is either the same or older version of v2 tag.

Edit:
Is the intention that github or dependabot will no longer support vX tags and only immutable releases?