End-to-end verification that the Helm versioning-strategy support proposed
in dependabot/dependabot-core#15216
works across the full pipeline (file fetch → parse → live OCI registry
resolution → file update → proposed change), for all three strategies.
Honest caveat: pre-merge, the GitHub-hosted Dependabot service cannot run the proposed branch — it only runs released code. Everything here runs the
casey/helm-versioning-strategybranch viabin/dry-run.rb, executed either locally or in this repo's CI. It demonstrates the branch's behavior; it is not the hosted Dependabot opening real PRs.
producers/— three trivial charts published tooci://ghcr.io/casey-robertson-paypal/dependabot-helmat controlled versions.consumer/Chart.yaml— consumes them via OCI with different constraint styles.publish.sh— one-time publish of the producer charts to GHCR.verify.sh— runs the three strategies against a local dependabot-core checkout.transcripts/— committed dry-run output..github/workflows/verify.yml— CI that reproduces the matrix and uploads transcripts.
| Producer chart | Published versions | Highest |
|---|---|---|
app-base |
1.0.0, 1.0.5 |
1.0.5 |
cron-base |
1.0.0, 2.0.0 |
2.0.0 |
db-base |
1.0.0, 1.5.0 |
1.5.0 |
web-base |
1.2.0, 1.2.9 |
1.2.9 |
api-base |
1.0.0, 1.5.0, 2.5.0 |
2.5.0 |
consumer/Chart.yaml pins:
| dep | constraint | highest | increase (bump_versions) |
increase-if-necessary (bump_versions_if_necessary) |
widen (widen_ranges) |
|---|---|---|---|---|---|
| app-base | ^1.0.0 |
1.0.5 (in range) | PR → ^1.0.5 |
no PR ⭐ | no PR |
| cron-base | ^1.0.0 |
2.0.0 (out of range) | PR → ^2.0.0 |
PR → ^2.0.0 |
PR → ^2.0.0 |
| db-base | 1.0.0 |
1.5.0 | PR → 1.5.0 |
PR → 1.5.0 |
PR → 1.5.0 |
| web-base | ~1.2.0 |
1.2.9 (in range) | PR → ~1.2.9 |
no PR ⭐ | no PR |
| api-base | >=1.0.0 <2.0.0 |
2.5.0 (out of range) | PR → >=1.0.0 <3.0.0 |
PR → >=1.0.0 <3.0.0 |
PR → >=1.0.0 <3.0.0 |
⭐ The headline behavior: an in-range patch produces no PR under
increase-if-necessary/widen, instead of being exact-pinned as Dependabot
does today.
Prerequisites: helm, oras (brew install oras), Ruby 3.4.x, and a checkout
of the branch as a sibling directory:
git clone -b casey/helm-versioning-strategy \
https://github.com/casey-robertson-paypal/dependabot-core.git ../dependabot-core
(cd ../dependabot-core/helm && bundle install)
export LOCAL_GITHUB_ACCESS_TOKEN=<your_github_pat>
./verify.sh # writes transcripts/<strategy>.txtIf you don't have oras/helm locally, run inside the dependabot-core dev
shell instead: bin/docker-dev-shell helm, then run verify.sh from this repo
(it bundles helm + oras).
The verify workflow (Actions tab, or workflow_dispatch) checks out the
branch, installs the toolchain, runs verify.sh, and uploads the transcripts as
a build artifact.
Each transcripts/<strategy>.txt shows, per dependency, the resolved latest
version and the proposed Chart.yaml diff. Two log lines are expected and
harmless:
Error adding/updating Helm repository: ... is not a valid chart repository— Dependabot trieshelm repo addfirst; for OCI registries that's expected to fail, and it falls back tooras repo tags(which succeeds — see theHighest valid OCI tag ...line right after).- A
regctl-related note only affects release-date metadata (cooldown), not the version decision.
Under bump_versions_if_necessary and widen_ranges, app-base has no diff at
all — its ^1.0.0 already allows the latest 1.0.5, so no PR is proposed.
That is the behavior this repo exists to demonstrate.
This repo is intended as a ready-made public fixture for reviewing
dependabot/dependabot-core#15216.
If you'd like to confirm the behavior with your own tooling (e.g. a custom
updater image built from the branch, as was done for the go.work PR via a
dedicated test repo), point it at casey-robertson-paypal/dependabot-helm,
directory /consumer, with versioning-strategy: increase-if-necessary. The
committed transcripts/ and the verify workflow show the expected results.
Edit the version lists in publish.sh (e.g. add 1.0.6 or 3.0.0) and re-run
it to spin up new in-range / out-of-range cases, then re-run verify.sh.