Release v1.3.2 has introduced a breaking change

[marktarry-mobysoft]

We've been using the dependabot/fetch-metadata action for a short time, referencing the v1 tag in our workflows:

    - name: Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1

Today we started seeing multiple workflow failures, each reporting the following error:

Download action repository 'dependabot/fetch-metadata@v1' (SHA:90ed90dba204fdf8970c1f891b4349c96353f220)

Error: dependabot/fetch-metadata/v1/action.yml:
Error: dependabot/fetch-metadata/v1/action.yml: (Line: 18, Col: 113, Idx: 682) - (Line: 18, Col: 141, Idx: 710): While parsing a block mapping, did not find expected key.
Error: System.ArgumentException: Unexpected type '' encountered while reading 'action manifest root'. The type 'MappingToken' was expected.
   at GitHub.DistributedTask.ObjectTemplating.Tokens.TemplateTokenExtensions.AssertMapping(TemplateToken value, String objectDescription)
   at GitHub.Runner.Worker.ActionManifestManager.Load(IExecutionContext executionContext, String manifestFile)
Error: Fail to load dependabot/fetch-metadata/v1/action.yml

Comparing v1.3.1 against v1.3.2, I can see that "(Line: 18, Col: 113, Idx: 682) - (Line: 18, Col: 141, Idx: 710)" refers to the description attribute of the new skip-commit-verification option introduced by v1.3.2:

  skip-commit-verification:
    type: boolean
    description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as 'true' in GHES environments.'
    default: false

Column 113 marks the single-quotation at the start of 'true' in GHES environments.. This is invalid YAML syntax - as the entire string is surrounded by single-quotes.

v1.3.1...v1.3.2

Workaround

Changing our workflow to specify v1.3.1 has temporarily resolved the issue for us:

    - name: Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1.3.1

[marktarry-mobysoft]

Closing this as a duplicate of #235