Broken dependabot updates for NuGet in GitHub Enterprise Server 3.12.4

[martincostello]

Back in February I made the below comment regarding my concern that various bugs with support for NuGet updates would make their way into GitHub Enterprise Server: #8483 (comment)

This past weekend we upgraded our GitHub Enterprise Server instance to 3.12.4, the latest release that was shipped on May 20th, and found that we are encountering many of the issues with NuGet support in GitHub.com that have been fixed over the last 6 months since the problems started in November 2023.

For example, the issue where dependabot claims to update multiple packages but only updates one:

It is disappointing that the functionality was ingested into GHES when it clearly had quality issues in the first place that were known of since November 2023, but that the fixes haven't been applied 6 months later is doubly disappointing.

When are the various fixes already made for GitHub.com for NuGet support going to be fixed in GitHub Enterprise Server?

[watercable76]

@martincostello Is this similar to the problems you saw in issue #8576?

[martincostello]

Pretty much - as far as I can tell, the majority of the issues we are seeing are those which have been subsequently fixed in GitHub.com. GHES just seems to be using a version that misses a large number of these fixes.

[martincostello]

For additional context:

• We do not have GitHub Connect enabled in our GHES instance, so all actions are served from the appliance itself
• The version of the github/dependabot-action in GHES 3.12.4 corresponds to github/dependabot-action@867a767
• The corresponds to ghcr.io/dependabot/dependabot-updater-nuget:v2.0.20231211155700
• The means we're missing all these bug fixes for NuGet
• Even if we used the latest version from dotcom for the 3.12 branch, we'd be missing fixes such as handle _all_ instances of global.json when initializing MSBuild #9511.

Seems the majority of the issues would be fixed by:

• Merging Bump the dependabot-core-images group across 1 directory with 16 updates github/dependabot-action#1237:
• Updating the version of github/dependabot-action included inside GHES to a version containing the updated docker tags.

[tetiana-pozniakova]

Is there any updates on this? When could we expect for the fixes?

[martincostello]

Having installed GHES 3.13 onto a test server to inspect the contents (it's unfortunate that the versions of actions that ship inside GHES aren't documented somewhere or included in the separate installation metadata), we can see that GHES 3.13 includes github/dependabot-action@55f2d0a from April 10th.

This would include a large number of fixes for the issues we're experiencing, but still lacks the fix for #9511 as the commit is 6 days too early to include that fix.

It is also very disappointing that this issue has been open for a month, with additional reach out through GitHub Enterprise Support, and there has been zero response to this issue through either channel.

[abdulapopoola]

Hello there and sorry about the delay - the team has been stretched thin across multiple pressing needs.

Would it be possible to upgrade to GHES 3.13 and using actions sync to get to the latest? If that solves it, that might be a way to get through this.

Again, I apologize for the long turnaround times.

[martincostello]

Would it be possible to upgrade to GHES 3.13 and using actions sync to get to the latest?

I've asked our Enterprise Admins but have no date yet.

I think the more long-term item here is to prevent such a broken version of dependabot getting into GHES in the first place, and for any issues to be addressed in a timely manner if they do.

[abdulapopoola]

@martincostello , yes you are right and yes, we are working on improving our test infra to avoid situations like this.