release status is unclear

[jku]

I'm a user of the actual actions in codeql-action: in other words I have uses-lines like this in my workflows:
uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4

I like to know what code I'm running in my CI so I use hashes corresponding to releases and let dependabot update them. codeql-action releases are quite difficult to understand. As an example I currently have a dependabot PR that wants to update from codeql-action 2.3.6 to 2.13.4:

• Last update I have seen was 2.3.6 -- what happened in between?
• why am I getting an update to a release that your release page considers a "pre-release"
• why are the releases on the release page titled "CodeQL Bundle" when I'm looking at the "codeql-action" project and I'm not trying to use or update a "bundle"?
• why does changelog only list changes up to 2.3.6?

🤷

I'm sure there is a logic here and some of these versions refer to the software bundle and some refer to the actions themselves... but I can't understand this logic based on what dependabot shows me.

[mbg]

Hi @jku! Thank you for raising this issue with us.

Your intuition that the versions refer to different components is correct: 2.3.6 is the latest version of the CodeQL Action (hence the changelog for the Action only lists changes up to this version) while 2.13.4 is the current pre-release version of the CodeQL CLI which is used by the Action under the hood.

Regarding the Dependabot PR, that should indeed not be happening. We are using the codeql-action repository to store release bundles of the CodeQL CLI that are used by the Action. These are tagged differently from releases of the Action itself, but we would not expect them to be used by Dependabot.

We are investigating why Dependabot behaved in this way here and how we can work around that, so thank you for bringing this to our attention. We will provide an update once we have done that.

[mbg]

We have just released a new version of the Action which works around the erroneous Dependabot PRs. If you haven't already, you will likely soon see Dependabot replace the erroneous PR with a new one for this new version (2.20.0). There is a full write-up of what led to this problem in #1729. Thank you again for quickly bringing this to our attention so that the team could fix it! 🥇

I hope this has answered your question and resolves the problem for you. I will close this issue for now, but feel free to re-open it if there's anything else we can help with.

[jku]

Cheers,

From dependabot UX point of view your releases still look a bit strange: the release notes section in the dependabot comment shows an unrelated CodeQL Bundle release, I assume because your action releases are not "releases", just tags... I can read that now, I understand what you're trying to say but you could consider making the action releases actual releases.

[adityasharad]

@jku you're quite right, thank you for the suggestions. The generated Dependabot comments for codeql-action updates are confusing, both in the release notes section and the changelog section. We are thinking about how to make this clearer -- it won't be a high priority but we'll try to improve the experience and minimise confusion. We're going about it carefully so that any customer automation that currently fetches the CodeQL bundle artifacts isn't broken by us populating additional releases for the CodeQL Action itself (the ability to determine a latest release may help us here).