feat: Parse versions from metadata links #632
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Dependabot PRs that update a **single** dependency include version details in the commit message introduction, e.g., > "Bumps `<dependency>` from `<prevVersion>` to `<newVersion>`" This is the format generated by the [`commit_message_intro`](https://github.com/dependabot/dependabot-core/blob/cc4b4eaade37da0a19e0897e6897bab613064e74/common/lib/dependabot/pull_request_creator/message_builder.rb#L320-L325) method in Dependabot Core. However, when **multiple dependencies** are updated in a single PR, this format isn't used consistently, which limits the action’s ability to extract accurate version information. This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies: 1. **YAML metadata parsing** Dependabot includes a YAML block in the commit message with structured details for each updated dependency: ```yaml updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: non-breaking ``` This is the most reliable and stable source for the **new** version of each dependency, though it does **not** include the previous version. 2. **Metadata links parsing** In multi-dependency updates, Dependabot also appends “metadata links” with a format like: > "Updates `<dependencyName>` from `<prevVersion>` to `<newVersion>`" These lines are generated bythe [`metadata_links`](https://github.com/dependabot/dependabot-core/blob/cc4b4eaade37da0a19e0897e6897bab613064e74/common/lib/dependabot/pull_request_creator/message_builder.rb#L664-L678) method and provide **both** the old and new versions. By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability. Closes dependabot#402
jeffwidman
previously approved these changes
Jul 1, 2025
Member
jeffwidman
left a comment
jeffwidman
left a comment
There was a problem hiding this comment.
This looks good to me, other than not understanding the comment syntax?
I'd appreciate if @JamieMagee took a quick look as well since he worked on exposing some of this metadata as he may be aware of some additional context
JamieMagee
approved these changes
Jul 1, 2025
Author
|
Hi @jeffwidman, Just a gentle reminder about this PR. Since we switched to compulsory reviews, handling Dependabot PRs (which previously merged automatically with changelog entries) has become more time-consuming. This change (along with apache/logging-parent#419) is part of the approach we devised to streamline things by grouping updates and reviewing them as a single PR. Would you have an idea when this might be merged and included in a release? Thanks! |
|
Very much looking forward to this, thank you @ppkarwasz |
tekumara
reviewed
Oct 10, 2025
| * See `Dependabot::PullRequestCreator::MessageBuilder#metadata_links` in the Ruby codebase for more details | ||
| * on the current format. | ||
| * | ||
| * **NOTE**: This data is only available if more than one dependency is updated in a single PR. |
There was a problem hiding this comment.
fyi, here's an example of a grouped update with 1 update - i think this would match here (contrary to the comment)?
Author
There was a problem hiding this comment.
You are right grouped PRs with a single updated dependency also contain this data, so I should amend the comment.
The exact generating logic is here.
ppkarwasz
added a commit
to ppkarwasz/infrastructure-actions
that referenced
this pull request
Oct 26, 2025
…etadata` This PR allows the usage of the `ppkarwasz/fetch-metadata` GitHub Action as an alternative to `dependabot/fetch-metadata` in ASF repositories. The `ppkarwasz/fetch-metadata` action is a personal improvement of the original `dependabot/fetch-metadata`, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released. ### Why this change is needed In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR. Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be: * manually reviewed, * updated with an empty commit to re-trigger required status checks, * and merged by hand. We already have an improved workflow in place (see apache/logging-parent#419) that provides: * **Security enhancements** through separation of privileged and unprivileged workflows (`ppkarwasz/fetch-metadata` is used only in the unprivileged workflow), * **Automatic merge using `auto-merge` instead of manual merging**, and * **Support for grouped Dependabot PRs** (reducing noise to ~1 PR per repository per month). The final item, grouped PR support, requires the `ppkarwasz/fetch-metadata` action.
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot PRs that update a single dependency include version details in the commit message introduction, e.g.,
This is the format generated by the
commit_message_intromethod in Dependabot Core.However, when multiple dependencies are updated in a single PR, this format isn't used, which limits the action’s ability to extract accurate version information.
This change improves version parsing for multi-dependency PRs by introducing two additional detection strategies:
YAML metadata parsing Dependabot includes a YAML block in the commit message with structured details for each updated dependency:
This is the most reliable and stable source for the new version of each dependency, though it does not include the previous version.
Metadata links parsing In multi-dependency updates, Dependabot also appends “metadata links” with a format like:
These lines are generated bythe
metadata_linksmethod and provide both the old and new versions.By combining these sources, the action now supports version parsing for PRs with multiple updated dependencies—broadening its coverage and improving reliability.
Closes #402