Dependabot 没有找到最新的提交
Dependabot does not find latest commit
我正在探索 Dependabot 的工作原理,但它并没有像我预期的那样工作。
我创建了 2 个 private Golang 存储库(one、two),其中 one 取决于 two:
one的go.mod:
module github.com/dazwilkin/one
go 1.17
require github.com/dazwilkin/two v0.0.0-20210927170438-e7aa41e4107b
NOTE e7aa41e4107b is a prior commit intentionally in order to check VS Code's and Dependabot's update checking.
和dependabot.yml:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
two 最近的 2 次提交是:
curl \
--silent \
--header "Authorization: Bearer ${TOKEN}" \
https://api.github.com/repos/${OWNER}/${REPO}/commits \
| jq -r '.[]|{"sha":.sha,"date":.commit.committer.date}'
并且:
{
"sha": "b2f2074829aa61218d7e38f27bb6051ccd97ab7a",
"date": "2021-09-27T18:03:33Z"
}
{
"sha": "e7aa41e4107b8c28f99cadfe55b831380730e808",
"date": "2021-09-27T17:04:38Z"
}
NOTE b2f2074829aa is the commit I'm expecting to be told about and e7aa41e4107b is the prior commit on two that one continues to reference.
VS Code 快速确定更新可用并且:
go list -m -u all
github.com/dazwilkin/one
github.com/dazwilkin/two v0.0.0-20210927170438-e7aa41e4107b [v0.0.0-20210927180333-b2f2074829aa]
NOTE Correctly identifying the latest commit (b2f2074829aa) to replace the prior commit (e7aa41e4107b)
但是,在 22 小时和反复强制更新之后,dependabot 继续报告说 e7aa41e4107b 是最新的:
updater | INFO <job_214390230> Starting job processing
updater | INFO <job_214390230> Starting update job for DazWilkin/one
updater | INFO <job_214390230> Checking if github.com/dazwilkin/two 0.0.0-20210927170438-e7aa41e4107b needs updating
updater | INFO <job_214390230> Latest version is 0.0.0-20210927170438-e7aa41e4107b
updater | INFO <job_214390230> No update needed for github.com/dazwilkin/two 0.0.0-20210927170438-e7aa41e4107b
updater | INFO <job_214390230> Finished job processing
NOTE Dependabot appears to have no issue accessing github.com/dazwilkin/two but it doesn't find the most recent commit.
这只是一个最终的一致性问题吗,我需要等待更长的时间?
Update I've waited another 24 hours and it continues to find the earlier commit as the latest version
还是我误解或错误配置了 Dependabot?
一个可能相关的问题是我的 GitHub 帐户是大小写混合的 DazWilkin 但是,为了简单起见,我发布和引用 Golang 模块时使用全小写 (github.com/dazwilkin ).然而 Dependabot 似乎没有问题找到先前的提交。
我认为这是因为 dependabot 不支持伪版本 - https://github.com/dependabot/dependabot-core/issues/3017
我正在探索 Dependabot 的工作原理,但它并没有像我预期的那样工作。
我创建了 2 个 private Golang 存储库(one、two),其中 one 取决于 two:
one的go.mod:
module github.com/dazwilkin/one
go 1.17
require github.com/dazwilkin/two v0.0.0-20210927170438-e7aa41e4107b
NOTE
e7aa41e4107bis a prior commit intentionally in order to check VS Code's and Dependabot's update checking.
和dependabot.yml:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
two 最近的 2 次提交是:
curl \
--silent \
--header "Authorization: Bearer ${TOKEN}" \
https://api.github.com/repos/${OWNER}/${REPO}/commits \
| jq -r '.[]|{"sha":.sha,"date":.commit.committer.date}'
并且:
{
"sha": "b2f2074829aa61218d7e38f27bb6051ccd97ab7a",
"date": "2021-09-27T18:03:33Z"
}
{
"sha": "e7aa41e4107b8c28f99cadfe55b831380730e808",
"date": "2021-09-27T17:04:38Z"
}
NOTE
b2f2074829aais the commit I'm expecting to be told about ande7aa41e4107bis the prior commit ontwothatonecontinues to reference.
VS Code 快速确定更新可用并且:
go list -m -u all
github.com/dazwilkin/one
github.com/dazwilkin/two v0.0.0-20210927170438-e7aa41e4107b [v0.0.0-20210927180333-b2f2074829aa]
NOTE Correctly identifying the latest commit (
b2f2074829aa) to replace the prior commit (e7aa41e4107b)
但是,在 22 小时和反复强制更新之后,dependabot 继续报告说 e7aa41e4107b 是最新的:
updater | INFO <job_214390230> Starting job processing
updater | INFO <job_214390230> Starting update job for DazWilkin/one
updater | INFO <job_214390230> Checking if github.com/dazwilkin/two 0.0.0-20210927170438-e7aa41e4107b needs updating
updater | INFO <job_214390230> Latest version is 0.0.0-20210927170438-e7aa41e4107b
updater | INFO <job_214390230> No update needed for github.com/dazwilkin/two 0.0.0-20210927170438-e7aa41e4107b
updater | INFO <job_214390230> Finished job processing
NOTE Dependabot appears to have no issue accessing
github.com/dazwilkin/twobut it doesn't find the most recent commit.
这只是一个最终的一致性问题吗,我需要等待更长的时间?
Update I've waited another 24 hours and it continues to find the earlier commit as the
latest version
还是我误解或错误配置了 Dependabot?
一个可能相关的问题是我的 GitHub 帐户是大小写混合的 DazWilkin 但是,为了简单起见,我发布和引用 Golang 模块时使用全小写 (github.com/dazwilkin ).然而 Dependabot 似乎没有问题找到先前的提交。
我认为这是因为 dependabot 不支持伪版本 - https://github.com/dependabot/dependabot-core/issues/3017