[C3] chore: fix dependabot so that it used the correct package version

[dario-piotrowicz]

What this PR solves / how to test

Currently our dependabot workflow is flawed and uses outdated version of framework
CLIs as you can see from this PR's description: #5149

This is due to the wrong checkout performed in the e2e-only-dependabot-bumped-framework step which uses the version of the package.json file from main instead of getting the updated one.

This PR fixes such behavior.

Author has addressed the following

• Tests
  • Included
  • Not necessary because: this is only a gh actions change
• Changeset (Changeset guidelines)
  • Included
  • Not necessary because: this is only a gh actions change
• Public documentation
  • Cloudflare docs PR(s): https://github.com/cloudflare/cloudflare-docs/pull/...
  • Not necessary because: this is only a gh actions change

[changeset-bot]

⚠️ No Changeset found

Latest commit: 030809f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-wrangler-5151

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/5151/npm-package-wrangler-5151

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-wrangler-5151 dev path/to/script.js

Additional artifacts:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-create-cloudflare-5151 --no-auto-update

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-cloudflare-kv-asset-handler-5151

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-miniflare-5151

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-cloudflare-pages-shared-5151

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/8176127369/npm-package-cloudflare-vitest-pool-workers-5151

Note that these links will no longer work once the GitHub Actions artifact expires.

---

wrangler@3.31.0 includes the following runtime dependencies:

Package	Constraint	Resolved
miniflare	workspace:*	3.20240223.1
workerd	1.20240304.0	1.20240304.0
workerd --version	1.20240304.0	2024-03-04

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.36%. Comparing base (4194495) to head (030809f).
Report is 23 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5151      +/-   ##
==========================================
+ Coverage   70.31%   70.36%   +0.04%     
==========================================
  Files         298      298              
  Lines       15550    15567      +17     
  Branches     4000     4007       +7     
==========================================
+ Hits        10934    10953      +19     
+ Misses       4616     4614       -2     

see 8 files with indirect coverage changes

[petebacondarwin]

I think the correct fix is to change the trigger to pull_request rather than pull_request_target, which according to the docs runs the job in the context of the base of the PR rather than the HEAD.

[dario-piotrowicz]

sounds reasonable to me, thanks 🙂

I've update the trigger, please have another look 🙏

[dario-piotrowicz]

Note: 0 would also work but it seems quite unnecessary in my opinion since it fetches everything (https://github.com/actions/checkout)

but I'm happy to use 0 if we find it more clear/robust and don't care about the extra fetching, please let me know what you think 🙂

[petebacondarwin]

We've been going with 0 because it guarantees that all the tags are also there, and generally no one is complaining about performance. So I would err on that side. It is very confusing if something is missing from the cloned repo because the errors are a bit vague.

[dario-piotrowicz]

ok, changed to 0 🙂👍

[petebacondarwin]

We've been going with 0 because it guarantees that all the tags are also there, and generally no one is complaining about performance. So I would err on that side. It is very confusing if something is missing from the cloned repo because the errors are a bit vague.