Merge pull request #13985 from yeikel/fix-github-actions-comment-not-updated

JamieMagee · web-flow · commit 1c3a7f8553fc · 2026-02-03T19:59:04.000-08:00
Fix github actions versions comment not updated in an edge case
diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
@@ -246,13 +246,17 @@ def refs_for_tag_with_detail
 
     sig { params(commit_sha: T.nilable(String)).returns(T.nilable(String)) }
     def most_specific_version_tag_for_sha(commit_sha)
-      tags = local_tags.select { |t| t.commit_sha == commit_sha && version_class.correct?(t.name) }
-                       .sort_by { |t| version_class.new(t.name) }
+      tags = local_tags_matching_sha(commit_sha)
       return if tags.empty?
 
       tags[-1]&.name
     end
 
+    sig { params(commit_sha: T.nilable(String)).returns(T::Array[String]) }
+    def most_specific_version_tags_for_sha(commit_sha)
+      local_tags_matching_sha(commit_sha).map(&:name)
+    end
+
     sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def max_local_tag(tags)
       max_version_tag = tags.max_by { |t| version_from_tag(t) }
@@ -333,6 +337,12 @@ def allowed_versions(local_tags)
         .reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
     end
 
+    sig { params(commit_sha: T.nilable(String)).returns(T::Array[Dependabot::GitRef]) }
+    def local_tags_matching_sha(commit_sha)
+      local_tags.select { |t| t.commit_sha == commit_sha && version_class.correct?(t.name) }
+                .sort_by { |t| version_class.new(t.name) }
+    end
+
     sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
     def pinned_ref_in_release?(version)
       raise "Not a git dependency!" unless git_dependency?
diff --git a/github_actions/lib/dependabot/github_actions/file_updater.rb b/github_actions/lib/dependabot/github_actions/file_updater.rb
@@ -107,11 +107,12 @@ def updated_version_comment(comment, old_ref, new_ref)
         git_checker = Dependabot::GitCommitChecker.new(dependency: dependency, credentials: credentials)
         return unless git_checker.ref_looks_like_commit_sha?(old_ref)
 
-        previous_version_tag = git_checker.most_specific_version_tag_for_sha(old_ref)
-        return unless previous_version_tag # There's no tag for this commit
+        previous_version_tags = git_checker.most_specific_version_tags_for_sha(old_ref)
+        return unless previous_version_tags.any? # There's no tag for this commit
 
-        previous_version = version_class.new(previous_version_tag).to_s
-        return unless comment.end_with? previous_version
+        previous_version = previous_version_tags.map { |tag| version_class.new(tag).to_s }
+                                                .find { |version| comment.end_with? version }
+        return unless previous_version
 
         new_version_tag = git_checker.most_specific_version_tag_for_sha(new_ref)
         return unless new_version_tag
diff --git a/github_actions/spec/dependabot/github_actions/file_updater_spec.rb b/github_actions/spec/dependabot/github_actions/file_updater_spec.rb
@@ -474,14 +474,76 @@
 
           it "doesn't update version comments" do
             allow(Dependabot::GitCommitChecker).to receive(:new).and_return(git_checker)
-            allow(git_checker).to receive(:ref_looks_like_commit_sha?).and_return true
-            allow(git_checker).to receive(:most_specific_version_tag_for_sha).and_return("v2.1.0", nil, nil)
+            allow(git_checker).to receive_messages(
+              ref_looks_like_commit_sha?: true,
+              most_specific_version_tags_for_sha: ["v2.1.0"]
+            )
+            allow(git_checker).to receive(:most_specific_version_tag_for_sha).and_return(nil, nil)
             old_version = dependency.previous_requirements[1].dig(:source, :ref)
             expect(updated_workflow_file.content).not_to match(/@#{old_version}\s+#.*#{dependency.version}/)
           end
         end
       end
 
+      context "with pinned SHA hash matching multiple tags and version in comment different from latest matching tag" do
+        let(:service_pack_url) do
+          "https://github.com/github/codeql-action.git/info/refs" \
+            "?service=git-upload-pack"
+        end
+        let(:workflow_file_body) do
+          fixture("workflow_files", "pinned_sources_version_comments.yml")
+        end
+        let(:previous_version) { "3.29.5" }
+        let(:new_ref) { "2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d" }
+        let(:dependency) do
+          Dependabot::Dependency.new(
+            name: "github/codeql-action",
+            version: "3.30.0",
+            package_manager: "github_actions",
+            previous_version: previous_version,
+            previous_requirements: [{
+              requirement: nil,
+              groups: [],
+              file: ".github/workflows/workflow.yml",
+              source: {
+                type: "git",
+                url: "https://github.com/github/codeql-action",
+                ref: "51f77329afa6477de8c49fc9c7046c15b9a4e79d",
+                branch: nil
+              },
+              metadata: { declaration_string: "github/codeql-action@51f77329afa6477de8c49fc9c7046c15b9a4e79d" }
+            }],
+            requirements: [{
+              requirement: nil,
+              groups: [],
+              file: ".github/workflows/workflow.yml",
+              source: {
+                type: "git",
+                url: "https://github.com/github/codeql-action",
+                ref: new_ref,
+                branch: nil
+              },
+              metadata: { declaration_string: "github/codeql-action@#{new_ref}" }
+            }]
+          )
+        end
+
+        before do
+          stub_request(:get, service_pack_url)
+            .to_return(
+              status: 200,
+              body: fixture("git", "upload_packs", "codeql-action"),
+              headers: {
+                "content-type" => "application/x-git-upload-pack-advertisement"
+              }
+            )
+        end
+
+        it "updates SHA and comment" do
+          expect(updated_workflow_file.content).to match(/@#{new_ref}\s+#.*#{dependency.version}/)
+        end
+      end
+
       context "with a path based tag with semver" do
         let(:workflow_file_body) do
           fixture("workflow_files", "workflow_monorepo_path_based_semver.yml")
diff --git a/github_actions/spec/fixtures/git/upload_packs/codeql-action b/github_actions/spec/fixtures/git/upload_packs/codeql-action
diff --git a/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml b/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml
@@ -33,3 +33,7 @@ jobs:
     # This is pinned to the version before v2.1.0, so the comment is incorrect.
     # Rather than failing to update, it will just leave the comment as-is.
     - uses: actions/checkout@85b1f35505da871133b65f059e96210c65650a8b # v2.1.0
+
+    # The pinned SHA matches both v3.29.5 and v3.29.7. It will be still replaced
+    # properly.
+    - uses: github/codeql-action@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
