-
-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot PRs fail CI because it ignore only new issues #1045
Comments
Hello, Can you provide the logs? or a link to a public repository? I think it's a duplicate of #996 |
I had a look at #996, but I don't have line
It may be related though.
|
Can you try to remove this line: steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: "refs/pull/${{ github.event.number }}/head" ## <---- dependabot creates PRs from branches and not a fork, so the event should be a
https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#only-new-issues |
In debug mode, you should have a log You should also have a log |
Ok, I've got |
Ok, I've run it without the ref on the checkout and now get these:
|
can you provide your golangci-lint configuration?
No, this option is for a specific use case: unstaged changes or untracked files https://golangci-lint.run/usage/configuration/#issues-configuration |
Sure:
FWIW this is the .golangci-lint.yaml in the root of the repo: ---
linters-settings:
govet:
enable:
- nilness
goimports:
local-prefixes: github.com/fastly
linters:
enable:
- gofumpt
- goimports
- gosec
- ineffassign |
Can you check if you have something like:
|
Can you also give me an overview (a few lines) of the linting issues? |
Don't have |
Maybe it's related to the content of the patch 🤔 But the call is really simple: golangci-lint-action/src/run.ts Lines 62 to 69 in 182ce0b
The same thing in Go: package main
import (
"context"
"fmt"
"log"
"github.com/google/go-github/v62/github"
"golang.org/x/oauth2"
)
func main() {
ctx := context.Background()
ts := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: "token"})
client := github.NewClient(oauth2.NewClient(ctx, ts))
org := "foo"
repo := "bar"
number := 8
raw, _, err := client.PullRequests.GetRaw(ctx, org, repo, number, github.RawOptions{Type: github.Diff})
if err != nil {
log.Fatal(err)
}
fmt.Println(raw)
} Can you try it? |
Hmm, so because it is a dependabot PR, the patch is just the diff of the go.mod and go.sum. I've included an excerpt: diff --git a/go.mod b/go.mod
index 0c2f7f1d4..82ff186bd 100644
--- a/go.mod
+++ b/go.mod
@@ -34,31 +34,31 @@ require (
go.uber.org/atomic v1.11.0
go.uber.org/zap v1.27.0
golang.org/x/crypto v0.23.0
- golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+ golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
golang.org/x/oauth2 v0.20.0
golang.org/x/sys v0.20.0
)
...
diff --git a/go.sum b/go.sum
index d16dd3273..8e4e44ba3 100644
--- a/go.sum
+++ b/go.sum
@@ -20,10 +20,10 @@ cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb
cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw=
cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms=
-cloud.google.com/go/auth v0.2.2 h1:gmxNJs4YZYcw6YvKRtVBaF2fyUE6UrWPyzU8jHvYfmI=
-cloud.google.com/go/auth v0.2.2/go.mod h1:2bDNJWtWziDT3Pu1URxHHbkHE/BbOCuyUiKIGcNvafo=
-cloud.google.com/go/auth/oauth2adapt v0.2.1 h1:VSPmMmUlT8CkIZ2PzD9AlLN+R3+D1clXMWHHa6vG/Ag= |
I can't find a way to reproduce the problem 🤔 The project contains issues, I used |
Hmm, I'm wondering if it is something specific to dependabot PRs- could I make PR to add dependabot to that repo and see if the PR the dependabot creates fails? |
Even a PR from dependabot doesn't produce the problem: |
It looks like there is something specific to your repository: maybe it's a problem with a token, a repository setting, the dependabot configuration, etc. Can you give me an overview (a few lines) of the linting issues reported inside this PR? |
Ah, that is interesting, they all seem to be type check errors:
I hadn't noticed that before. Something else interesting- if there are changes in the main branch and I merge those back into the pr branch, then it succeeds. This makes me think it is a token or something that dependabot doesn't have, but once I've made a commit on the branch then it works. |
https://golangci-lint.run/welcome/faq/#why-do-you-have-typecheck-errors In your context, I think it's missing access to private dependencies. |
any news? |
Hi @ldez I'm busy working on it with our security team. I think we can close it as it looks like a permissions issue, but doesn't look like it from the outside. Thank you very much for your help! |
Welcome
Description of the problem
👋 Hi. Running into a strange problem and I think I've narrowed it down to the action.
Whenever Dependabot makes a new PR then golangci-lint fails. It fails because it seems to ignore the only new issues flag.
In other words the line that runs golangci-lint looks like:
But all the issues in the repo are found, i.e. not just new ones. In theory there shouldn't be any new issues for a dependabot PR, but that's neither here nor there.
The action works perfectly and only flags new issues if somebody other than dependabot makes a PR.
Version of golangci-lint
1.58.2
Version of the GitHub Action
v6
Workflow file
Go version
1.21.1
Code example or link to a public repository
The text was updated successfully, but these errors were encountered: