Use DevOps API version 5.0 where possible, for maximum compatibility

[rhyskoedijk]

Fixes #1423 and #1069 in TaskV2.

This change downgrades the DevOps REST API version requirement from 7.1 to 5.0, for maximum compatibility with older DevOps servers. The only exception to this is that approvePullRequest will use API version 7.1 in order to use the isReapprove parameter.

API version 5.0 is the same version used in dependabot-core's Azure API client. AzureDevOpsWebApiClient has been retested on 5.0, all APIs work as expected. See logs below where 5.0 is used to create the PR, 7.1 is used to auto-approve the PR.

Creating pull request '⬆️ Bump System.Text.Json from 8.0.0 to 8.0.5 in /WebApplicationNetCore'...
🌎 🠊 [GET] https://vssps.dev.azure.com/rhyskoedijk/_apis/identities?api-version=5.0&searchFilter=General&filterValue=Test Guard Team&queryMembership=None
🌎 🠈 [200] OK
 - Pushing 1 file change(s) to branch 'dependabot/nuget/main/WebApplicationNetCore/System.Text.Json-8.0.5'...
🌎 🠊 [POST] https://dev.azure.com/rhyskoedijk/Dependabot/_apis/git/repositories/Dependabot-Tests/pushes?api-version=5.0
🌎 🠈 [201] Created
 - Pushed commit: 86814c66872249c4d1679c83be7b50ae7fbb5af0.
 - Creating pull request to merge 'dependabot/nuget/main/WebApplicationNetCore/System.Text.Json-8.0.5' into 'main'...
🌎 🠊 [POST] https://dev.azure.com/rhyskoedijk/Dependabot/_apis/git/repositories/Dependabot-Tests/pullrequests?api-version=5.0
🌎 🠈 [201] Created
 - Created pull request: #287.
 - Adding dependency metadata to pull request properties...
🌎 🠊 [PATCH] https://dev.azure.com/rhyskoedijk/Dependabot/_apis/git/repositories/Dependabot-Tests/pullrequests/287/properties?api-version=5.0
🌎 🠈 [200] OK
 - Updating auto-complete options...
🌎 🠊 [PATCH] https://dev.azure.com/rhyskoedijk/Dependabot/_apis/git/repositories/Dependabot-Tests/pullrequests/287?api-version=5.0
🌎 🠈 [200] OK
 - Pull request was created successfully.
Approving pull request #287...
 - Updating reviewer vote on pull request...
🌎 🠊 [PUT] https://dev.azure.com/rhyskoedijk/Dependabot/_apis/git/repositories/Dependabot-Tests/pullrequests/287/reviewers/f6be700d-10f9-65fd-9296-09272a761d5e?api-version=7.1
🌎 🠈 [200] OK
 - Pull request was approved successfully.
Processing output 'mark_as_processed' with data: { 'base-commit-sha': '8736853ad71369d3fad02612987967acca11d3a2' }

If the pull request is updated by Dependabot, it is also reapproved:

[mburumaxwell]

This will block reapproval

See:

• Use version 7.1 of Azure DevOps API #1131
• Set isReapprove=true when for PRs with auto approve #1132
• Reapproval is not Working when Auto-Approval is set #1069

[rhyskoedijk]

Ah, interesting, I didn't test re-approvals.
Looking at the code in AzureDevOpsWebApiClient, I've actually set isReapprove: false to stop it from spamming the PR timeline with "User approved this pull request" messages every time the PR is updated. I'm now not sure if this was correct to do.

Do you think this could be resolved by using 7.1 for the approval API call and 5.0 for all other API calls?
It would allow for most functionality to work on older DevOps servers, they would just have to give up auto-approval unless they want to upgrade their server to 7.1?

[mburumaxwell]

According to #1069, we need to re-approve the PR if automatic approval is enabled and the PR is updated (e.g., resolving merge conflicts).
Let us encourage people to upgrade their servers. Isn't the whole point of dependabot to keep dependencies (and components) up to date?

For the longest, I have not considered auto-approval a good practice because when used with auto-merge it can result in some unwanted mergers. However, for organizations that use GitFlow (common with Azure DevOps as compared to GitHub Flow), the updates would be targeted towards a "develop" branch that would be tested as a whole later. This is why I allowed it.

Having "User approved this pull request" messages every time the PR is updated is not a problem because that indicates that it was done for the new changes. It would also be necessary when the policy requires it.

Side note: @SeMuell is a sponsor so I am inclined to keep a feature that works for them intact.

[rhyskoedijk]

Let us encourage people to upgrade their servers. Isn't the whole point of dependabot to keep dependencies (and components) up to date?

I do agree with this. However, I also think the on-premise server owners who might be prevented from upgrading promptly each year or so that Microsoft actually updates the server edition would appreciate a longer compatibility window; especially the ones that might have to factor in other organizational constraints before they can upgrade. Given that this can be done in a single line of code, I think it is at least worth considering. If this was a case of writing a new client to handle different API versions, I'd completely agree to just support the latest API version.

I've updated this PR with a change that I think balances fully-featured and maximum compatibility, back to DevOps Server 2019 (API 5.0). Let me know your thoughts. It will use API version 7.1 for auto-approval, version 5.0 for everything else.

If you still aren't comfortable with this change, I'll abandon it and open a separate PR to fix the isReapprove: true issue in TaskV2, which I've implemented wrong.

Having "User approved this pull request" messages every time the PR is updated is not a problem because that indicates that it was done for the new changes. It would also be necessary when the policy requires it.

Make sense, I wasn't really thinking about this when I implemented it; I have corrected it in this PR too.