Use DevOps API version 5.0 where possible, for maximum compatibility (#1425)

* Downgrade DevOps API version from 7.1 to 5.0

* Log the full DevOps API url, including query string parameters

* Fix for "isReapprove" not being set during auto-approve

* Fix formatting

* Update documentation

* Update documentation

Author: Rhys Koedijk

extension/README.md

@@ -55,7 +55,7 @@ Dependabot uses Docker containers, which may take time to install if not already
 |setAutoComplete|**_Optional_**. Determines if the pull requests that dependabot creates should have auto complete set. When set to `true`, pull requests that pass all policies will be merged automatically. Defaults to `false`.|
 |mergeStrategy|**_Optional_**. The merge strategy to use when auto complete is set. Learn more [here](https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update?view=azure-devops-rest-6.0&tabs=HTTP#gitpullrequestmergestrategy). Defaults to `squash`.|
 |autoCompleteIgnoreConfigIds|**_Optional_**. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.|
-|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`.|
+|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions).|
 |autoApproveUserToken|**_Optional_**. A personal access token for the user to automatically approve the created PR.|
 |authorEmail|**_Optional_**. The email address to use for the change commit author. Can be used to associate the committer with an existing account, to provide a profile picture. Defaults to `[email protected]`.|
 |authorName|**_Optional_**. The name to use as the git commit author of the pull requests. Defaults to `dependabot[bot]`.|
@@ -82,7 +82,7 @@ Dependabot uses Docker containers, which may take time to install if not already
 |setAutoComplete|**_Optional_**. Determines if the pull requests that dependabot creates should have auto complete set. When set to `true`, pull requests that pass all policies will be merged automatically. Defaults to `false`.|
 |mergeStrategy|**_Optional_**. The merge strategy to use when auto complete is set. Learn more [here](https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-requests/update?view=azure-devops-rest-6.0&tabs=HTTP#gitpullrequestmergestrategy). Defaults to `squash`.|
 |autoCompleteIgnoreConfigIds|**_Optional_**. List of any policy configuration Id's which auto-complete should not wait for. Only applies to optional policies. Auto-complete always waits for required (blocking) policies.|
-|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`.|
+|autoApprove|**_Optional_**. Determines if the pull requests that dependabot creates should be automatically completed. When set to `true`, pull requests will be approved automatically. To use a different user for approval, supply `autoApproveUserToken` input. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions).|
 |autoApproveUserToken|**_Optional_**. A personal access token for the user to automatically approve the created PR.|
 |skipPullRequests|**_Optional_**. Determines whether to skip creation and updating of pull requests. When set to `true` the logic to update the dependencies is executed but the actual Pull Requests are not created/updated. This is useful for debugging. Defaults to `false`.|
 |abandonUnwantedPullRequests|**_Optional_**. Determines whether to abandon unwanted pull requests. Defaults to `false`.|

extension/tasks/dependabotV1/task.json

@@ -138,7 +138,7 @@
       "label": "Auto-approve pull requests",
       "defaultValue": false,
       "required": false,
-      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`."
+      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions)"
     },
     {
       "name": "autoApproveUserToken",

extension/tasks/dependabotV2/task.json

@@ -118,7 +118,7 @@
       "label": "Auto-approve pull requests",
       "defaultValue": false,
       "required": false,
-      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`."
+      "helpMarkDown": "When set to `true`, pull requests will automatically be approved by the specified user. Defaults to `false`. Requires [Azure DevOps REST API 7.1](https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions)"
     },
     {
       "name": "autoApproveUserToken",

extension/tasks/dependabotV2/utils/azure-devops/AzureDevOpsWebApiClient.ts

@@ -28,7 +28,7 @@ export class AzureDevOpsWebApiClient {
   private authenticatedUserId: string;
   private resolvedUserIds: Record<string, string>;
 
-  public static API_VERSION = '7.1';
+  public static API_VERSION = '5.0'; // this is the same version used by dependabot-core
 
   constructor(organisationApiUrl: string, accessToken: string) {
     this.organisationApiUrl = organisationApiUrl.replace(/\/$/, ''); // trim trailing slash
@@ -464,9 +464,18 @@ export class AzureDevOpsWebApiClient {
       const userVote = await this.restApiPut(
         `${this.organisationApiUrl}/${pr.project}/_apis/git/repositories/${pr.repository}/pullrequests/${pr.pullRequestId}/reviewers/${userId}`,
         {
-          vote: 10, // 10 - approved 5 - approved with suggestions 0 - no vote -5 - waiting for author -10 - rejected
-          isReapprove: false, // don't re-approve if already approved
+          // Vote 10 = "approved"; 5 = "approved with suggestions"; 0 = "no vote"; -5 = "waiting for author"; -10 = "rejected"
+          vote: 10,
+          // Reapprove must be set to true after the 2023 August 23 update;
+          // Approval of a previous PR iteration does not count in later iterations, which means we must (re)approve every after push to the source branch
+          // See: https://learn.microsoft.com/en-us/azure/devops/release-notes/2023/sprint-226-update#new-branch-policy-preventing-users-to-approve-their-own-changes
+          //      https://github.com/tinglesoftware/dependabot-azure-devops/issues/1069
+          isReapprove: true,
         },
+        // API version 7.1 is required to use the 'isReapprove' parameter
+        // See: https://learn.microsoft.com/en-us/rest/api/azure/devops/git/pull-request-reviewers/create-pull-request-reviewer?view=azure-devops-rest-7.1&tabs=HTTP#request-body
+        //      https://learn.microsoft.com/en-us/azure/devops/integrate/concepts/rest-api-versioning?view=azure-devops#supported-versions
+        '7.1',
       );
       if (userVote?.vote != 10) {
         throw new Error('Failed to approve pull request, vote was not recorded');
@@ -619,7 +628,7 @@ export class AzureDevOpsWebApiClient {
       .map((key) => `${key}=${params[key]}`)
       .join('&');
     const fullUrl = `${url}?api-version=${apiVersion}${queryString ? `&${queryString}` : ''}`;
-    return await this.restApiRequest('GET', url, () =>
+    return await this.restApiRequest('GET', fullUrl, () =>
       this.connection.rest.client.get(fullUrl, {
         Accept: 'application/json',
       }),
@@ -632,7 +641,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('POST', url, () =>
+    return await this.restApiRequest('POST', fullUrl, () =>
       this.connection.rest.client.post(fullUrl, JSON.stringify(data), {
         'Content-Type': 'application/json',
       }),
@@ -645,7 +654,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('PUT', url, () =>
+    return await this.restApiRequest('PUT', fullUrl, () =>
       this.connection.rest.client.put(fullUrl, JSON.stringify(data), {
         'Content-Type': 'application/json',
       }),
@@ -659,7 +668,7 @@ export class AzureDevOpsWebApiClient {
     apiVersion: string = AzureDevOpsWebApiClient.API_VERSION,
   ): Promise<any | undefined> {
     const fullUrl = `${url}?api-version=${apiVersion}`;
-    return await this.restApiRequest('PATCH', url, () =>
+    return await this.restApiRequest('PATCH', fullUrl, () =>
       this.connection.rest.client.patch(fullUrl, JSON.stringify(data), {
         'Content-Type': contentType || 'application/json',
       }),