Is there an existing issue for this?
Package ecosystem
github-actions
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
version: 2
updates:
- package-ecosystem: "github-actions" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"Updated dependency
No response
What you expected to see, versus what you actually saw
We received a single PR updating actions/checkout in two files:
scorecard.yml is correctly updated, both the hash and the version comment:
steps:
- name: "Checkout code"
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+ uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2However, for testing.yml only the hash is updated:
steps:
- - uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1
+ - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.1
If relevant, the hash for v3.5.1 was manually obtained by going to the actions/checkout Releases page.
I'd have expected testing.yml to also change the version comment to v3.5.2.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
nebraska-dev/dependabot-debug#5
Smallest manifest that reproduces the issue
The repo linked above is pretty close to an MRE, but the following should (not) work as well:
dependabot.yml:
version: 2
updates:
- package-ecosystem: "github-actions" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"testing.yml:
on:
push:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@83b7061638ee4956cf7545a6f7efe594e5ad0247 # v3.5.1
Is there an existing issue for this?
Package ecosystem
github-actions
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
Updated dependency
No response
What you expected to see, versus what you actually saw
We received a single PR updating actions/checkout in two files:
scorecard.ymlis correctly updated, both the hash and the version comment:steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2However, for
testing.ymlonly the hash is updated:If relevant, the hash for v3.5.1 was manually obtained by going to the actions/checkout Releases page.
I'd have expected
testing.ymlto also change the version comment tov3.5.2.Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
nebraska-dev/dependabot-debug#5
Smallest manifest that reproduces the issue
The repo linked above is pretty close to an MRE, but the following should (not) work as well:
dependabot.yml:testing.yml: