github actions update fails when action is pinned to commit hash

[ReenigneArcher]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

github actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/LizardByte/.github/blob/49fb24e93d5902e16a7acce645932bd08fc643f6/.github/workflows/issues-stale.yml#L62

dependabot.yml content

https://github.com/LizardByte/.github/blob/49fb24e93d5902e16a7acce645932bd08fc643f6/.github/dependabot.yml#L22

Updated dependency

existing: amenocal/stale@44df11e

there is no update available

What you expected to see, versus what you actually saw

Do not error, or at least continue with other updates. OR... Continue working with commit hashes as used to work.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

https://github.com/LizardByte/.github/actions/runs/12666467352/job/35297906417

Similar issue, but closed by OP: #11181
Created discussion here, got no response: #11205 (behavior is slightly different now as at least I can see the error)

Smallest manifest that reproduces the issue

No response

[laughedelic]

We encountered this problem in our organization as well. In our case, it failed on a GHA repository that is kept in another org from the same enterprise account (internal visibility).

I agree that Dependabot should fail gracefully and continue with other updates.

[ReenigneArcher]

The repository that failed for me is not a private repository.

It makes sense why it would fail in your case unless you provided it a PAT. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#git

[gionn]

I had a public repo with an action without any tag. Creating a semver compatibile tag fixed the issue on all the downstream repo.

Looks like it's a regression, won't be possibile to get updates unless there is a tag on the repo which is serving that action.

[ReenigneArcher]

Hopefully this can be reconsidered. There are valid reasons to use a commithash versus a tagged version.

• using a fork or unmerged branch temporarily to fix an issue
• github allows hashes versus tags, so dependabot should also support that (at a minimum don't fail the rest of the updates)

I guess I may need to finally switch to renovate-bot.

[bartsmykla]

This issue is happening for us with two public actions. It looks like actions pinned to commit hashes with a semantic version tag can’t be used anymore.

[laughedelic]

@ReenigneArcher, I added my case here because it wasn't failing like this before. Even if it's a valid failure (which is arguable, but out of scope for this issue), it shouldn't block the rest of the updates.

[ReenigneArcher]

I think I've tracked it down to this PR. #11144

Seems that it was reverted, but maybe not available in a release yet. #11289