build(deps): bump @actions/core from 1.8.0 to 1.8.2

[dependabot]

Bumps @actions/core from 1.8.0 to 1.8.2.

Changelog

Sourced from @​actions/core's changelog.

1.8.2

• Update to v2.0.1 of @actions/http-client #1087

1.8.1

• Update to v2.0.0 of @actions/http-client

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[kamilsk]

rebase after #470 is needed

[ldez]

it feels like commits created in the GHA are skipped, I will check something in the settings.

[ldez]

I checked and it doesn't seem related to what I was thinking.

[kamilsk]

I tried:

• define concurrency https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency
• exit after push

it didn't help

the build does not restart in this case. jfyi

[SVilgelm]

I know about this issue, the system token GH_TOKEN cannot trigger other workflows to avoid recursion, the only way is using PAT, but there is another issue - dependabot has no access to the main secrets. @ldez, if you have an access to the glance bot secrets, or if no, then generate a temporary one and add the secret to dependabot's section in the repo settings:

then we need to change the workflow to use PAT

[ldez]

The dependabot doesn't use any secret or token, we don't use the Github API to create commits.

https://github.com/golangci/golangci-lint-action/blob/master/.github/workflows/test.yml

[SVilgelm]

The dependabot doesn't use any secret or token, we don't use the Github API to create commits.

https://github.com/golangci/golangci-lint-action/blob/master/.github/workflows/test.yml

            git config --local user.name "dependabot[bot]"
            git config --local user.email "49699333+dependabot[bot]@users.noreply.github.com"
            git add --update
            git commit --message="Update dist files"
            git push

then how this works?

[ldez]

then how this works?

This is the secret sauce of GitHub and Dependabot.

We don't provide any token for this bot and we don't call the GitHub API.

The dependabot secrets don't allow overriding secrets named GITHUB_*, and there is no option to change the "token" that uses dependabot.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-encrypted-secrets-for-dependabot

Remember that the dependabot doesn't need to be installed, it's not an application but just a GitHub "feature".

Do you have links to documentation or something else?

[kamilsk]

folks, what do you think if we rethink this part? for me, "push changes" while you check them is a foot gun

cannot trigger other workflows to avoid recursion

what if this step will be a part of a push event?

[kamilsk]

if

      - name: Update dist files
        if: github.event_name == 'push'

then try to update dist in the main branch instead of the current approach

[kamilsk]

please take a look on de5c087

[ldez]

The problem will be worse because creating a commit on master without a real user will not really work well.
Otherwise, the dirty check is important.

[kamilsk]

The problem will be worse because creating a commit on master without a real user will not really work well.

why? now the same commit will be created on a feature branch. what is the difference?

and this scheme works well:

• https://github.com/qase-tms/specs/commits/master
• https://github.com/qase-tms/specs/blob/cf4154d530e06affba173f2c77fe0186861950bd/.github/workflows/readme.yaml#L21-L29

[kamilsk]

The problem will be worse because creating a commit on master without a real user will not really work well.
Otherwise, the dirty check is important.

@ldez let's remove "changing state" part and leave the dirty check. someone will do it manually. what do you think?

[kamilsk]

@dependabot recreate