Workflows containing Jinja2 code result in dependabot parsing errors

[martinm82]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

github-actions

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/{{cookiecutter.repo_name}}/.github/workflows"
    schedule:
      interval: "daily"

Updated dependency

No response

What you expected to see, versus what you actually saw

I am using cookiecutter templates that generate as well GitHub workflows that include some Jinja2 code.

Now that #6189 has been implemented, dependabot started to parse the cookiecutter workflow templates but it results in failures:

Dependabot can't parse your quality.yml
Dependabot failed to update your dependencies because there was an error parsing the quality.yml found at /{{cookiecutter.repo_name}}/.github/workflows/quality.yml.

Dependabot encountered the following error:

Dependabot::DependencyFileNotParseable
[Learn more](https://docs.github.com/github/managing-security-vulnerabilities/troubleshooting-dependabot-errors)

Example workflow:

name: Quality Checks
on:
  pull_request:
    types:
      - opened
      - reopened
      - edited
      - synchronize
  workflow_dispatch:

jobs:
  conventional-commit:
    name: Conventional Commit Check
    runs-on: ubuntu-latest
    steps:
      {%- if cookiecutter.release_tool | lower == "commisery" %}
      - uses: tomtom-international/commisery-action@v2
        with:
          token: {% raw %}${{ github.token }}{%- endraw %}
      {%- else %}
      - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb
        env:
          GITHUB_TOKEN: "{% raw %}${{ secrets.GITHUB_TOKEN }}{%- endraw %}"
      {%- endif %}

It seems that Jinja2 is supported but only for Python requirements files: #1537

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response

[jeffwidman]

Hmm... GitHub actions aren't python, and don't have native support for Jinja2. The error is correct that it's not actually a valid parsable actions file.

In other words, you're passing a template that can be processed into a valid file, but not a valid file. And we aren't going to add support for templates--there's too many possible templating languages and each language ecosystem has their own preferred one it seems.

To avoid the error I suggest instead not having Dependabot watch that directory of templates.

If your directory has a mixture of files, some valid and some template, then you may be interested in:

• Allow/Ignore specific manifests #2883

Another long-term alternative may be if we added support for regex matching for GitHub actions releases, ala:

• Add support for github release fetched from wget/curl in Dockerfiles #2483 (comment)

I'm going to close this specific request as "wontfix", but feel free to follow both the above as potential long-term workarounds.