Why dependabot tries to update actions from major to major.minor

Dependabot opens PR like this: “chore(deps): bump actions/cache from v2 to v2.1.4” with diff like

-      - uses: actions/cache@v2
+      - uses: actions/cache@v2.1.4

What’s the point in doing this? Isn’t latest (2.1.4) will be used anyway next time my action will runs? Is this should be considered a bug in dependabot?

3 Likes

Previously, this issue only happened when the maintainer of an action created a new x.x.x tag without replacing the matching major x tag.

Today it got worse, as Dependabot opened pull requests for actions that didn’t even change (including actions/checkout, actions/cache and actions/setup-node). Their x.x.x tag points to the same commit as the x tag.

Taking actions/checkout as an example, the last release was November 3rd 2020, so it’s unclear what triggered Dependabot.

+1

actions/checkout release has opened hundreds of PR’s today.
Very annoying…

Could likely be solved by Increase-if-necessary for github-actions in dependabot

2 Likes