-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release status is unclear #1728
Comments
Hi @jku! Thank you for raising this issue with us. Your intuition that the versions refer to different components is correct: 2.3.6 is the latest version of the CodeQL Action (hence the changelog for the Action only lists changes up to this version) while 2.13.4 is the current pre-release version of the CodeQL CLI which is used by the Action under the hood. Regarding the Dependabot PR, that should indeed not be happening. We are using the We are investigating why Dependabot behaved in this way here and how we can work around that, so thank you for bringing this to our attention. We will provide an update once we have done that. |
We have just released a new version of the Action which works around the erroneous Dependabot PRs. If you haven't already, you will likely soon see Dependabot replace the erroneous PR with a new one for this new version (2.20.0). There is a full write-up of what led to this problem in #1729. Thank you again for quickly bringing this to our attention so that the team could fix it! 🥇 I hope this has answered your question and resolves the problem for you. I will close this issue for now, but feel free to re-open it if there's anything else we can help with. |
Cheers, From dependabot UX point of view your releases still look a bit strange: the release notes section in the dependabot comment shows an unrelated CodeQL Bundle release, I assume because your action releases are not "releases", just tags... I can read that now, I understand what you're trying to say but you could consider making the action releases actual releases. |
@jku you're quite right, thank you for the suggestions. The generated Dependabot comments for |
I'm a user of the actual actions in codeql-action: in other words I have uses-lines like this in my workflows:
uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4
I like to know what code I'm running in my CI so I use hashes corresponding to releases and let dependabot update them. codeql-action releases are quite difficult to understand. As an example I currently have a dependabot PR that wants to update from codeql-action 2.3.6 to 2.13.4:
🤷
I'm sure there is a logic here and some of these versions refer to the software bundle and some refer to the actions themselves... but I can't understand this logic based on what dependabot shows me.
The text was updated successfully, but these errors were encountered: