Dependabot creates duplicated PRs

[honnix]

Package manager/ecosystem
This has happened to at least maven, yarn/npm in our case.

Manifest contents prior to update
It doesn't seem to matter.

Updated dependency
It doesn't seem to matter.

What you expected to see, versus what you actually saw
A single PR gets created for a version bump.

Images of the diff or a link to the PR, issue or logs
NA because it was not on GitHub.com.

More details
We set up a dependabot with a thin wrapper for our internal GitHub Enterprise. The commit/branch/PR creation are all handled by dependabot-core. Occasionally we find duplicated PRs are created for a single version bump. Those PRs are created from the same branch with exactly the same content. Apart from duplication, it is almost always the case that when this happens, a PR numbered as 0 gets created by dependabot-core. We suspect this is caused by a PR creation failure and the subsequent retries, but don't have strong proof yet.

[feelepxyz]

@honnix could you report this to your GH Enterprise support contact? I believe this might be a bug on the enterprise API side causing a 0 id to be created somehow, dependabot doesn't have any control over this and just calls the rest API to create a pull request with the PR content. The API should validate duplicate branch names and fail to create if one already exists.

[honnix]

@feelepxyz Sure. We have already contacted our support engineer. They suggested we open an issue here as well for visibility.

[asciimike]

Also of note, we're hoping to bring Dependabot to GitHub Enterprise in: github/roadmap#86, so hopefully we'll have better support soon.

Closing this issue as there's been a support case filed and we're aware, thanks for the report!