Broken dependabot updates for NuGet in GitHub Enterprise Server 3.12.4
martincostello opened this issue · comments
Back in February I made the below comment regarding my concern that various bugs with support for NuGet updates would make their way into GitHub Enterprise Server: #8483 (comment)
This past weekend we upgraded our GitHub Enterprise Server instance to 3.12.4, the latest release that was shipped on May 20th, and found that we are encountering many of the issues with NuGet support in GitHub.com that have been fixed over the last 6 months since the problems started in November 2023.
For example, the issue where dependabot claims to update multiple packages but only updates one:
It is disappointing that the functionality was ingested into GHES when it clearly had quality issues in the first place that were known of since November 2023, but that the fixes haven't been applied 6 months later is doubly disappointing.
When are the various fixes already made for GitHub.com for NuGet support going to be fixed in GitHub Enterprise Server?
@martincostello Is this similar to the problems you saw in issue #8576?
Pretty much - as far as I can tell, the majority of the issues we are seeing are those which have been subsequently fixed in GitHub.com. GHES just seems to be using a version that misses a large number of these fixes.
For additional context:
- We do not have GitHub Connect enabled in our GHES instance, so all actions are served from the appliance itself
- The version of the github/dependabot-action in GHES 3.12.4 corresponds to github/dependabot-action@867a767
- The corresponds to ghcr.io/dependabot/dependabot-updater-nuget:v2.0.20231211155700
- The means we're missing all these bug fixes for NuGet
- Even if we used the latest version from dotcom for the 3.12 branch, we'd be missing fixes such as #9511.
Seems the majority of the issues would be fixed by:
- Merging github/dependabot-action#1237:
- Updating the version of github/dependabot-action included inside GHES to a version containing the updated docker tags.