actions: expand to the most specific semver tag

### Please describe the enhancement

Given a reference like `actions/checkout@v3`.

I'd prefer the pinned version to be: `actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0` instead of  `actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3`

This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of `actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3`, but leave the comment at `v3`.


This should _only_ be done when multiple tags reference the same commit.

### Solution Proposal

When pinning, list all tags in the repository.
When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.

### Describe alternatives you've considered

We could wrap frizbee, or use a linter to discourage using major version tags.

This could be `WONTFIX`, treated as a bug in Dependabot: https://github.com/dependabot/dependabot-core/issues/8011 . (I have not confirmed how RenovateBot handles this case).

### Additional context

_No response_

### Acceptance Criteria

1. Have a repository using `actions/checkout@v3`.
2. Run frizbee to pin the actions in the repository.
3. Enable Dependabot for GitHub Actions: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
4. Receive a clean pull request upgrading to the latest pinned version (at the time of writing): `actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

actions: expand to the most specific semver tag #184

Please describe the enhancement

Solution Proposal

Describe alternatives you've considered

Additional context

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development