Skip to content

Allow use of ppkarwasz/fetch-metadata alongside dependabot/fetch-metadata #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow use of ppkarwasz/fetch-metadata alongside dependabot/fetch-metadata #339

wants to merge 1 commit into from

Conversation

@ppkarwasz
Copy link

@ppkarwasz ppkarwasz commented Oct 26, 2025

Request for adding a new GitHub Action to the allow list

Overview

This PR allows the usage of the ppkarwasz/fetch-metadata GitHub Action as an alternative to dependabot/fetch-metadata in ASF repositories.

The ppkarwasz/fetch-metadata action is a personal improvement of the original dependabot/fetch-metadata, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released.

Name of action: ppkarwasz/fetch-metadata

URL of action: https://github.com/ppkarwasz/fetch-metadata

Version to pin to (hash only): 14da1d746fb4c6f05dbc353e4fd619a1065c8ff6

Permissions

The action only requires read permissions, so no explicit permission besides what is publicly available.

Related Actions

dependabot/fetch-metadata

Why this change is needed

In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR.

Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be:

  • manually reviewed,
  • updated with an empty commit to re-trigger required status checks,
  • and merged by hand.

We already have an improved workflow in place (see apache/logging-parent#419) that provides:

  • Security enhancements through separation of privileged and unprivileged workflows (ppkarwasz/fetch-metadata is used only in the unprivileged workflow),
  • Automatic merge using auto-merge instead of manual merging, and
  • Support for grouped Dependabot PRs (reducing noise to ~1 PR per repository per month).

The final item, grouped PR support, requires the ppkarwasz/fetch-metadata action.

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

  • The action is listed in the GitHub Actions Marketplace
  • The action is not already on the list of approved actions
  • The action has a sufficient number of contributors or has contributors within the ASF community
  • The action has a clearly defined license
  • The action is actively developed or maintained
  • The action has CI/unit tests configured

@ppkarwasz
Allow use of ppkarwasz/fetch-metadata alongside `dependabot/fetch-m…
680c48b 
…etadata`

This PR allows the usage of the `ppkarwasz/fetch-metadata` GitHub Action as an alternative to `dependabot/fetch-metadata` in ASF repositories.

The `ppkarwasz/fetch-metadata` action is a personal improvement of the original `dependabot/fetch-metadata`, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released.

### Why this change is needed

In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR.

Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be:

* manually reviewed,
* updated with an empty commit to re-trigger required status checks,
* and merged by hand.

We already have an improved workflow in place (see apache/logging-parent#419) that provides:

* **Security enhancements** through separation of privileged and unprivileged workflows
  (`ppkarwasz/fetch-metadata` is used only in the unprivileged workflow),
* **Automatic merge using `auto-merge` instead of manual merging**, and
* **Support for grouped Dependabot PRs** (reducing noise to ~1 PR per repository per month).

The final item, grouped PR support, requires the `ppkarwasz/fetch-metadata` action.
@ppkarwasz
Copy link
Author

ppkarwasz commented Nov 3, 2025

After revisiting dependabot/fetch-metadata, it appears that while the action still does not correctly resolve the previous version of a dependency, it does correctly determine the new version. That should be sufficient for generating the changelog entries used in Logging Services.

If I can confirm this behavior, I’ll close this PR and open a new one proposing the use of the upstream dependabot/fetch-metadata action instead, as it remains the officially maintained option.

@dfoulks1
Copy link
Contributor

dfoulks1 commented Nov 3, 2025

Just let me know how you'd like to proceed @ppkarwasz

@ppkarwasz
Copy link
Author

ppkarwasz commented Nov 3, 2025

Hi @dfoulks1,

I tried to review dependabot/fetch-metadata from a security point of view and I’m leaning toward removing both ppkarwasz/fetch-metadata and dependabot/fetch-metadata from this proposal, for a few reasons:

  • I’m not a TypeScript expert, and I’d prefer not to maintain or vouch for a complex dependency chain I don’t fully understand.
  • Both actions currently include known vulnerabilities in their dependency stack (CVE-2025-25288, CVE-2025-25289, CVE-2025-25290).
  • While these vulnerabilities are likely not directly exploitable in our usage context, I don’t have the bandwidth to confirm that.
  • Fixing them would require major version bumps across the dependency tree, which could introduce breaking changes.
  • The issues appear to be transitive dependencies of @actions/github, but I haven’t found any clear information on their practical impact.

Given that, I’m not comfortable declaring either action “safe” for ASF-wide use, especially since dependabot/fetch-metadata appears dormant since June.

@vy, what do you think about us maintaining a minimal TypeScript action ourselves?
It could have far fewer dependencies and focus solely on the small subset of metadata we actually use for changelog generation.

@vy
Copy link
Member

vy commented Nov 10, 2025

@vy, what do you think about us maintaining a minimal TypeScript action ourselves? It could have far fewer dependencies and focus solely on the small subset of metadata we actually use for changelog generation.

@ppkarwasz, until the time we have an active maintainer in the [Logging Services] PMC who can and is willing to maintain a {Java,Type}Script stack, and it is objectively clear that keeping a certain component in {Java,Type}Script is simpler & more sustainable compared to alternatives, I am inclined to KISS, and stick to tools that we know and use best: Java & shell scripting.

@ppkarwasz
Copy link
Author

ppkarwasz commented Nov 11, 2025

There is an inherent advantage in maintaining an action in TypeScript:

  • It can be unit tested,
  • It is not prone to code injection and you don't need to check for ${{...}} injections in the code.

I am more than willing to maintain a cut-down version of dependabot/fetch-metadata, but I prefer to do it inside the ASF.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ppkarwasz @dfoulks1 @vy