Skip to content

Bump the actions group with 6 updates#29203

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-e3b7908f0a
Closed

Bump the actions group with 6 updates#29203
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-e3b7908f0a

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 6, 2024
edited
Loading

Bumps the actions group with 6 updates:

Package From To
actions/checkout 3 4
actions/setup-python 4 5
actions/cache 3 4
actions/upload-artifact 3 4
actions/download-artifact 3 4
peter-evans/create-pull-request 5 6

Updates actions/checkout from 3 to 4

Release notes

Sourced from actions/checkout's releases.

v4.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v3...v4.0.0

v3.6.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v3.5.3...v3.6.0

v3.5.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v3...v3.5.3

v3.5.2

What's Changed

Full Changelog: actions/checkout@v3.5.1...v3.5.2

v3.5.1

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.0

v3.6.0

v3.5.3

v3.5.2

v3.5.1

... (truncated)

Commits

Updates actions/setup-python from 4 to 5

Release notes

Sourced from actions/setup-python's releases.

v5.0.0

What's Changed

In scope of this release, we update node version runtime from node16 to node20 (actions/setup-python#772). Besides, we update dependencies to the latest versions.

Full Changelog: actions/setup-python@v4.8.0...v5.0.0

v4.8.0

What's Changed

In scope of this release we added support for GraalPy (actions/setup-python#694). You can use this snippet to set up GraalPy:

steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4 
  with:
    python-version: 'graalpy-22.3' 
- run: python my_script.py

Besides, the release contains such changes as:

New Contributors

Full Changelog: actions/setup-python@v4...v4.8.0

v4.7.1

What's Changed

Full Changelog: actions/setup-python@v4...v4.7.1

v4.7.0

In scope of this release, the support for reading python version from pyproject.toml was added (actions/setup-python#669).

      - name: Setup Python
        uses: actions/setup-python@v4
</tr></table>

... (truncated)

Commits
  • 82c7e63 Documentation changes for avoiding rate limit issues on GHES (#835)
  • 10aa35a feat: fallback to raw endpoint for manifest when rate limit is reached (#766)
  • 9a7ac94 Bump undici from 5.27.2 to 5.28.3 (#817)
  • 871daa9 Fix the "Specifying multiple Python/PyPy versions" link (#782)
  • 2f07895 Fix broken README.md link (#793)
  • e9d6f99 Replace setup-python@v4 by setup-python@v5 in README (#776)
  • 0a5c615 Update action to node20 (#772)
  • 0ae5836 Add example of GraalPy to docs (#773)
  • b64ffca update actions/checkout to v4 (#761)
  • 8d28961 Examples now use checkout@v4 (#738)
  • Additional commits viewable in compare view

Updates actions/cache from 3 to 4

Release notes

Sourced from actions/cache's releases.

v4.0.0

What's Changed

New Contributors

Full Changelog: actions/cache@v3...v4.0.0

v3.3.3

What's Changed

New Contributors

Full Changelog: actions/cache@v3...v3.3.3

v3.3.2

What's Changed

New Contributors

Full Changelog: actions/cache@v3...v3.3.2

v3.3.1

What's Changed

Full Changelog: actions/cache@v3...v3.3.1

v3.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

4.0.2

  • Fixed restore fail-on-cache-miss not working.

4.0.1

  • Updated isGhes check

4.0.0

  • Updated minimum runner version support from node 12 -> node 20

3.3.3

  • Updates @​actions/cache to v3.2.3 to fix accidental mutated path arguments to getCacheVersion actions/toolkit#1378
  • Additional audit fixes of npm package(s)

3.3.2

  • Fixes bug with Azure SDK causing blob downloads to get stuck.

3.3.1

  • Reduced segment size to 128MB and segment timeout to 10 minutes to fail fast in case the cache download is stuck.

3.3.0

  • Added option to lookup cache without downloading it.

3.2.6

  • Fix zstd not being used after zstd version upgrade to 1.5.4 on hosted runners.

3.2.5

  • Added fix to prevent from setting MYSYS environment variable globally.

3.2.4

  • Added option to fail job on cache miss.

3.2.3

  • Support cross os caching on Windows as an opt-in feature.
  • Fix issue with symlink restoration on Windows for cross-os caches.

3.2.2

... (truncated)

Commits

Updates actions/upload-artifact from 3 to 4

Release notes

Sourced from actions/upload-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.

For more information, please see:

  1. The changelog post.
  2. The README.
  3. The migration documentation.
  4. As well as the underlying npm package, @​actions/artifact documentation.

New Contributors

Full Changelog: actions/upload-artifact@v3...v4.0.0

v3.1.3

What's Changed

Full Changelog: actions/upload-artifact@v3...v3.1.3

v3.1.2

  • Update all @actions/* NPM packages to their latest versions- #374
  • Update all dev dependencies to their most recent versions - #375

v3.1.1

  • Update actions/core package to latest version to remove set-output deprecation warning #351

v3.1.0

What's Changed

Commits
  • 6546280 updating package version
  • c004fb4 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
  • 90aba49 updating toolkit artifact dependency to 2.1.6
  • b06cde3 Merge pull request #563 from actions/eggyhead/release-4.3.2
  • 1746f4a Revert "updating to release 4.3.2"
  • 31685d0 updating to release 4.3.2
  • 18bf333 Merge pull request #562 from actions/eggyhead/update-artifact-v215
  • dac413b update package lock version
  • bb3b4a3 updating package version
  • 3e3da83 updating artifact and core dependencies
  • Additional commits viewable in compare view

Updates actions/download-artifact from 3 to 4

Release notes

Sourced from actions/download-artifact's releases.

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.

For more information, please see:

  1. The changelog post.
  2. The README.
  3. The migration documentation.
  4. As well as the underlying npm package, @​actions/artifact documentation.

New Contributors

Full Changelog: actions/download-artifact@v3...v4.0.0

v3.0.2

v3.0.1

Commits
  • 65a9edc Merge pull request #325 from bethanyj28/main
  • fdd1595 licensed
  • c13dba1 update @​actions/artifact dependency
  • 0daa75e Merge pull request #324 from actions/eggyhead/use-artifact-v2.1.6
  • 9c19ed7 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
  • 3d3ea87 updating license
  • 89af5db updating artifact package v2.1.6
  • b4aefff Merge pull request #323 from actions/eggyhead/update-artifact-v215
  • 8caf195 package lock update
  • d7a2ec4 updating package version
  • Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 5 to 6

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v6.0.0

Behaviour changes

  • The default values for author and committer have changed. See "What's new" below for details. If you are overriding the default values you will not be affected by this change.
  • On completion, the action now removes the temporary git remote configuration it adds when using push-to-fork. This should not affect you unless you were using the temporary configuration for some other purpose after the action completes.

What's new

  • Updated runtime to Node.js 20
    • The action now requires a minimum version of v2.308.0 for the Actions runner. Update self-hosted runners to v2.308.0 or later to ensure compatibility.
  • The default value for author has been changed to ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>. The change adds the ${{ github.actor_id }}+ prefix to the email address to align with GitHub's standard format for the author email address.
  • The default value for committer has been changed to github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>. This is to align with the default GitHub Actions bot user account.
  • Adds input git-token, the Personal Access Token (PAT) that the action will use for git operations. This input defaults to the value of token. Use this input if you would like the action to use a different token for git operations than the one used for the GitHub API.
  • push-to-fork now supports pushing to sibling repositories in the same network.
  • Previously, when using push-to-fork, the action did not remove temporary git remote configuration it adds during execution. This has been fixed and the configuration is now removed when the action completes.
  • If the pull request body is truncated due to exceeding the maximum length, the action will now suffix the body with the message "...[Pull request body truncated]" to indicate that the body has been truncated.
  • The action now uses --unshallow only when necessary, rather than as a default argument of git fetch. This should improve performance, particularly for large git repositories with extensive commit history.
  • The action can now be executed on one GitHub server and create pull requests on a different GitHub server. Server products include GitHub hosted (github.com), GitHub Enterprise Server (GHES), and GitHub Enterprise Cloud (GHEC). For example, the action can be executed on GitHub hosted and create pull requests on a GHES or GHEC instance.

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v5.0.2...v6.0.0

Create Pull Request v5.0.2

⚙️ Fixes an issue that occurs when using push-to-fork and both base and head repositories are in the same org/user account.

What's Changed

Full Changelog: peter-evans/create-pull-request@v5.0.1...v5.0.2

Create Pull Request v5.0.1

What's Changed

Full Changelog: peter-evans/create-pull-request@v5.0.0...v5.0.1

Commits
  • 6d6857d fix: update proxy support to follow octokit change to fetch api (#2867)
  • 9153d83 perf: limit the fetch depth of pr branch (#2857)
  • c55203c fix: drop unnecessary fetch with unshallow on push-to-fork (#2849)
  • 6ce4eca build(deps-dev): bump @​types/node from 18.19.28 to 18.19.31 (#2842)
  • 36ef0ed build(deps-dev): bump @​types/node from 18.19.26 to 18.19.28 (#2836)
  • 8500972 build(deps-dev): bump @​types/node from 18.19.25 to 18.19.26 (#2831)
  • bda5ade build(deps-dev): bump @​types/node from 18.19.23 to 18.19.25 (#2826)
  • 70a41ab perf: shallow fetch the actual base when rebasing from working base (#2816)
  • 57a1014 build(deps-dev): bump @​types/node from 18.19.21 to 18.19.23 (#2811)
  • b3a2c5d build(deps-dev): bump @​types/node from 18.19.18 to 18.19.21 (#2798)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added Build / CI dependencies Pull requests that update a dependency file labels Jun 6, 2024
@dependabot dependabot bot requested a review from a team June 6, 2024 11:30
@github-actions
Copy link

github-actions bot commented Jun 6, 2024
edited
Loading

✔️ Linting Passed

All linting checks passed. Your pull request is in excellent shape! ☀️

Generated for commit: 11857ea. Link to the linter CI: here

jjerphan
jjerphan approved these changes Jun 6, 2024
View reviewed changes
Copy link
Member

@jjerphan jjerphan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM given 🟢 CI checks.

@lesteve lesteve mentioned this pull request Jun 6, 2024
Merged
@lesteve
Copy link
Member

lesteve commented Jun 6, 2024
edited
Loading

I was kind of expecting major.minor.micro versions + hashes everywhere but it looks like it only updated the major version, maybe because we were only specifying the major version before?

Probably some Dependabot subtlety, maybe this is what dependabot/dependabot-core#3699 is about. Edit: sorry, this one is about hashes in Dockerfiles ...

@dependabot
Bump the actions group with 6 updates
11857ea 
Bumps the actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `4` |
| [actions/setup-python](https://github.com/actions/setup-python) | `4` | `5` |
| [actions/cache](https://github.com/actions/cache) | `3` | `4` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `3` | `4` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `3` | `4` |
| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `5` | `6` |


Updates `actions/checkout` from 3 to 4
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v4)

Updates `actions/setup-python` from 4 to 5
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v4...v5)

Updates `actions/cache` from 3 to 4
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v3...v4)

Updates `actions/upload-artifact` from 3 to 4
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v3...v4)

Updates `actions/download-artifact` from 3 to 4
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v3...v4)

Updates `peter-evans/create-pull-request` from 5 to 6
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions-e3b7908f0a branch from 25f7e31 to 11857ea Compare June 6, 2024 12:06
@lesteve
Copy link
Member

lesteve commented Jun 6, 2024
edited
Loading

I was kind of expecting major.minor.micro versions + hashes everywhere but it looks like it only updated the major version, maybe because we were only specifying the major version before?

I double-checked in a test repo and it seems this is what is happening indeed. Dependabot respects what is already used in the workflow files:

I would be in favour of using hashes with human readable comment everywhere, any objections?

i.e.:

uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

instead of what we are currently doing:

uses: actions/checkout@v3

If no objection I will open a PR that does that.

@matthewfeickert
Copy link
Contributor

matthewfeickert commented Jun 6, 2024

+1 to using the minor versions with hashes for the publishing steps. I remember that there was some subtly to the upload / download actions on the latest versions, but I will need to look those up when I'm not in my phone. @henryiii might remember off the top of his head though.

@lesteve lesteve mentioned this pull request Jun 6, 2024
Closed
@lesteve
Copy link
Member

lesteve commented Jun 6, 2024

If no objection I will open a PR that does that.

I have opened #29206 to pin Github Actions with commit hashes.

@lesteve
Copy link
Member

lesteve commented Jun 6, 2024
edited
Loading

I remember that there was some subtly to the upload / download actions on the latest versions

I think this was upload-artifacts v4 that had some behaviour changes https://github.blog/2024-02-12-get-started-with-v4-of-github-actions-artifacts/#compatibility for example:

In v4, users lose the ability to upload to the same named artifact multiple times. Once an artifact is uploaded cannot be altered, and there cannot be multiple v4 artifacts with the same name, in the same workflow run.

For now my PR #29206 is trying to keep the same versions that we were using. I guess we will need to be careful indeed before merging this Dependabot PR. Given that upload-artifact is only used in lint.yml and wheels.yml, I think triggering a wheel build with a [cd build gh] comment may be a good idea to make sure nothing is broken.

@henryiii
Copy link

henryiii commented Jun 6, 2024
edited
Loading

Using exact pins causes a lot more churn and restricts you from getting the latest patch versions, which can fix things. GitHub Actions is not a fixed platform anyway, the runner images are updated regularly, so pinning (official) actions is generally less helpful than it's worth, IMO. Pinning it in the publish step is a good idea, but the rest will likely mean you'll get weekly (or whatever) updates of hashes with little benefit. I'd also make sure it updates frequently if you don't allow patch fixes.

Upload/download v4 require each other, and they no longer auto-merge if you reuse the same artifact name. All artifacts must now be uploaded once with unique names. You also need to make sure you don't upload the same file if you download and merge (new features for merging multiple artifacts added to help).

(By the way, in case it's not clear, my comment is about pinning the official actions like actions/checkout. It is less applicable to third party actions.)\

(Node versions, runner images, the python-versions cache setup-python pulls from, etc. - All this is not pinned, so pinning the action simply doesn't improve reliability)

@henryiii
Copy link

henryiii commented Jun 6, 2024

Upload / download artifact v3 will stop working November 30, 2024, FYI. Another example of why pinning official actions isn't really something you fully can control.

@lesteve
Copy link
Member

lesteve commented Jun 6, 2024

Thanks @matthewfeickert and @henryiii for your comments. To make sure I am following:

@henryiii
Copy link

henryiii commented Jun 6, 2024

I think yes to the first two, and the third, it's up to you. I tend to not worry about thirty party actions if they provide a moving major tag, I assume they will also keep it working, and I like lower CI churn, so I'm very slightly on the major tag for everyone side. I don't think I've run into a problem yet. But it's a trade off and it depends on your preference; pinning means you don't have to trust the third party actions as much, which does sound nice. If you are worried about security anywhere, go ahead and pin - that's why the publish step is pinned.

henryiii
henryiii reviewed Jun 6, 2024
View reviewed changes
.github/workflows/wheels.yml
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
path: dist/*.tar.gz
Copy link

@henryiii henryiii Jun 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd recommend naming the artifact here; using the default name is tricky now since you can only do it one time.

henryiii
henryiii reviewed Jun 6, 2024
View reviewed changes
.github/workflows/wheels.yml
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
path: wheelhouse/*.whl
Copy link

@henryiii henryiii Jun 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a unique name per job, and then the download step needs to merge. See https://learn.scientific-python.org/development/guides/gha-wheels for example.

matthewfeickert
matthewfeickert suggested changes Jun 6, 2024
View reviewed changes
Copy link
Contributor

@matthewfeickert matthewfeickert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with all of @henryiii's suggested changes (no surprise there) but to answer @lesteve's question (sorry for delay, am traveling today):

  • we already pin with hashes in the publish steps
  • using only major versions for official Github Actions (like actions/checkout and others) seems better
  • third-party actions, I am not so sure now ...
  • SPEC 8 is just recommending pinning for security focused steps like publishing. In PR #29180 I just did the upload step as that's a big step forward, but after SPEC 8 is ratified we can open up PRs to ping other actions in publishing workflows.
  • Yes, for thing like actions/whatever just use the major version.
  • I think it is fine to use the major version for third parties, but if you want to pin to the patch level you'll only get a once a month PR so that's not too bad. But this is very much a "what do you want to do" situation.

@henryiii
Copy link

henryiii commented Jun 6, 2024

I think one month is too long if you pin to patch versions, I'd only recommend that for looser pins. As an example, the runner images updated powershell a while back. This broke all existing versions of the cibuildwheel action, and we had to rush v2.16.5 out to fix all Windows users of the action. If you had cibuildwheel pinned to anything before that, you were broken by GitHub. However, if you pinned to our moving tag (v2.16), you were fine (unless you got lucky in the <2 day window where we pushed out the fix).

@matthewfeickert
Copy link
Contributor

matthewfeickert commented Jun 6, 2024

(On phone again) @henryiii This will be relevant for discussion on the follow up SPEC to SPEC 8 on security for building artifacts. I imagine that this will be something that Seth will want to discuss more broadly as well.

I'll defer to the scikit-learn team on if they are fine to bump to weekly over monthly for Dependabot, though @henryiii I thought you were going to recommend switching to monthly in the Scientific Python Developer Guide.

I will read again once I land tonight as I might be reading quickly and missing context.

@henryiii
Copy link

henryiii commented Jun 6, 2024

I did recommend switching to monthly, but that's with pinning to major versions. If you are isolating yourself from getting patch releases, you need to update more often. Personally, I think this is generally fine, lower churn and keeping CI simple is better than complexity and frequent updates, but if that level of security is needed for certain applications, that's fine for those applications. If doing that, you should also be locking your dependencies with hashes, etc, which we also don't do in the dev guide, as that slows your response time if dependencies break (among other things).

@lesteve
Copy link
Member

lesteve commented Jun 7, 2024
edited
Loading

OK thanks for your feed-back @matthewfeickert @henryiii, I have a better understanding of the trade-offs now.

I think for now we should stick to major versions (official Github actions + third-party actions) for now. Let's wait for SPEC 8 to settle down and potentially some PRs from people working on SPEC 8, to see what else can be improved.

I have opened a separate PR #29211 to do the upload-artifacts / download-artifacts v3 to v4 update by hand, as it needs a bit of care.

Side-comment: the "Pull Request Regex Title Labeler / labeler (pull_request_target)" CI failure probably happens because we pass the github context as JSON into an environment variable, the environent variable is too long probably in part because the PR description is too long. The error looks like this:

Error: An error occurred trying to start process '/usr/bin/bash' with working directory '/home/runner/work/scikit-learn/scikit-learn'. Argument list too long

@lesteve lesteve mentioned this pull request Jun 7, 2024
Merged
@ogrisel
Copy link
Member

ogrisel commented Jun 7, 2024

Shall we close this PR in favor of #29211 and the wait for the next denpendabot run to update the other (non-artifact related) actions?

@lesteve
Copy link
Member

lesteve commented Jun 7, 2024
edited
Loading

Shall we close this PR in favor of #29211 and the wait for the next denpendabot run to update the other (non-artifact related) actions?

I think we can leave the Dependabot PR open. I think the Dependabot PR will either be updated automatically because main has changed and it will detect conflicts or you can use special comments to rebase this PR on top of main (for more details, look at the "Dependabot commands and options" folded content in the PR description).

I guess one way to find out is to try 😉, i.e. merging #29211 first while leaving the Dependabot PR open.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 7, 2024

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Jun 7, 2024
@dependabot dependabot bot deleted the dependabot/github_actions/actions-e3b7908f0a branch June 7, 2024 18:58
@matthewfeickert
Copy link
Contributor

matthewfeickert commented Jun 8, 2024

Now over at PR #29214

@ogrisel ogrisel mentioned this pull request Jun 18, 2024
Merged
@ogrisel ogrisel mentioned this pull request Jul 9, 2024
Merged
5 tasks
@lesteve lesteve mentioned this pull request Mar 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jjerphan jjerphan jjerphan approved these changes

+2 more reviewers

@henryiii henryiii henryiii left review comments

@matthewfeickert matthewfeickert matthewfeickert requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Build / CI dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lesteve @matthewfeickert @henryiii @ogrisel @jjerphan