fix(ci): prevent spurious Dependabot PR failures from auto-approve and @types/vscode bumps#143
Merged
Merged
Conversation
…es/vscode - Remove dependabot[bot] from auto-approve.yml condition. That workflow runs on pull_request (no secrets for Dependabot) and always failed the create-github-app-token step, producing a permanent red 'auto-approve' check on every Dependabot PR. - Dependabot approval + auto-merge (patch/minor) is already handled by the dedicated dependabot-auto-merge.yml on pull_request_target. - Add @types/vscode to dependabot ignore for npm. vsce package enforces that the @types/vscode version must not exceed engines.vscode. Bumps produced failing 'build' jobs (package step). - New Dependabot PRs will no longer have spurious failures. Majors still require manual review per existing policy. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
The previous dynamic fetch of 'latest' via unauthenticated GitHub API was brittle: - Rate limits (60/hr unauth) often return error JSON instead of release. - grep/cut produces empty GITLEAKS_VERSION. - Download URL becomes invalid → 404 + tar failure. This caused the 'Gitleaks secret detection' job to fail on PR #143 (even though the PR changes are unrelated to secrets scanning). Fix: pin to a recent stable release (8.30.1) with comment for future updates. This is consistent with how other tools/actions are handled in the repo. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
Contributor
Author
|
Update: The failure on this PR was not caused by the Dependabot fixes. What failed
Root causeThe GITLEAKS_VERSION=$(curl -s https://api.github.com/.../releases/latest | grep tag_name | cut ... | sed 's/v//')
curl .../v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz ...
This is pre-existing (unrelated to the two files changed in the original commit). It happened to flake on this run. Fix pushed
Once the new security run completes it should be green. The Dependabot-related changes themselves are working (note that "auto-approve" now succeeds cleanly on this non-Dependabot PR, and Dependabot PRs going forward won't get the spurious failure). The original two changes remain:
Ready for merge after the re-run is clean. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Dependabot PRs were consistently showing as failing / not auto-merging:
npm run packagefailures.Root causes
auto-approve.ymlincludeddependabot[bot]. This workflow triggers onpull_request.Dependabot
pull_requestruns receive no repository secrets/vars ("Secret source: Dependabot").The
actions/create-github-app-tokenstep always failed with:This left a permanent failing status check named "auto-approve" on all Dependabot PRs.
dependabot-auto-merge.yml(the working one, onpull_request_target) already handled approval +gh pr merge --auto --squashfor patch/minor.@types/node25→26 and actions/checkout 6→7 were classifiedsemver-major→ intentionally skipped (manual review).@types/vscode1.120→1.125 wassemver-minorbut produced:(vsce enforces this.)
Changes
dependabot[bot]from the actor list inauto-approve.yml. Only SebTardif + release bot go through it now.@types/vscodeto the npmignorelist independabot.ymlwith explanation.Dependabot will remain automatic for true patch/minor updates that don't violate engine constraints. Majors (per Dependabot metadata) continue to require manual review per existing policy.