Fix actions pinned to branches not being bumped

There were two issues: * Not correctly detecting whether the action is pinned, when pinned to a major version branch, like "v7" in https://github.com/lukka/run-vcpkg. * Not correctly finding update candidates when pinned to a major version branch. In this case, the update candidates should include another major version branches, like "v10", but branches were being completely ignored as potential update candidates.
dependabot · Nov 3, 2022 · 10b3766 · 10b3766
1 parent bba8fec
commit 10b3766
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 37 deletions.
diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
@@ -52,11 +52,11 @@ def pinned?
       # If the specified `ref` is actually a tag, we're pinned
       return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
 
-      # If the specified `ref` is actually a branch, we're NOT pinned
-      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # Assume we're pinned unless the specified `ref` is actually a branch
+      return true unless local_upload_pack.match?(%r{ refs/heads/#{ref}$})
 
-      # Otherwise, assume we're pinned
-      true
+      # If the specified `ref` is actually a branch, we're pinned if the branch looks like a version
+      version_tag?(ref)
     end
 
     def pinned_ref_looks_like_version?
@@ -100,8 +100,15 @@ def head_commit_for_local_branch(name)
       local_repo_git_metadata_fetcher.head_commit_for_ref(name)
     end
 
+    def local_refs_for_latest_version_commit_sha
+      refs_for_latest_version_commit_sha(allowed_version_refs)
+    end
+
     def local_tags_for_latest_version_commit_sha
-      tags = allowed_version_tags
+      refs_for_latest_version_commit_sha(allowed_version_tags)
+    end
+
+    def refs_for_latest_version_commit_sha(tags)
       max_tag = max_version_tag(tags)
 
       return [] unless max_tag
@@ -114,7 +121,7 @@ def local_tags_for_latest_version_commit_sha
             tag: t.name,
             version: version_class.new(version),
             commit_sha: t.commit_sha,
-            tag_sha: t.tag_sha
+            tag_sha: t.ref_sha
           }
         end
     end
@@ -129,7 +136,7 @@ def local_tag_for_latest_version
         tag: tag.name,
         version: version_class.new(version),
         commit_sha: tag.commit_sha,
-        tag_sha: tag.tag_sha
+        tag_sha: tag.ref_sha
       }
     end
 
@@ -143,17 +150,11 @@ def max_version_tag(tags)
     end
 
     def allowed_version_tags
-      tags =
-        local_tags.
-        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
-      filtered = tags.
-                 reject { |t| tag_included_in_ignore_requirements?(t) }
-      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
-        raise Dependabot::AllVersionsIgnored
-      end
+      allowed_versions(local_tags)
+    end
 
-      filtered.
-        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    def allowed_version_refs
+      allowed_versions(local_refs)
     end
 
     def current_version
@@ -198,6 +199,20 @@ def git_repo_reachable?
 
     attr_reader :dependency, :credentials, :ignored_versions
 
+    def allowed_versions(local_tags)
+      tags =
+        local_tags.
+        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
+      filtered = tags.
+                 reject { |t| tag_included_in_ignore_requirements?(t) }
+      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
+        raise Dependabot::AllVersionsIgnored
+      end
+
+      filtered.
+        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    end
+
     def pinned_ref_in_release?(version)
       raise "Not a git dependency!" unless git_dependency?
 
@@ -236,9 +251,15 @@ def local_upload_pack
       local_repo_git_metadata_fetcher.upload_pack
     end
 
+    def local_refs
+      handle_tag_prefix(local_repo_git_metadata_fetcher.refs_for_upload_pack)
+    end
+
     def local_tags
-      tags = local_repo_git_metadata_fetcher.tags
+      handle_tag_prefix(local_repo_git_metadata_fetcher.tags_for_upload_pack)
+    end
 
+    def handle_tag_prefix(tags)
       if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
         tags = tags.map do |tag|
           tag.dup.tap { |t| t.name = "tags/#{tag.name}" }

diff --git a/common/lib/dependabot/git_metadata_fetcher.rb b/common/lib/dependabot/git_metadata_fetcher.rb
@@ -22,7 +22,21 @@ def upload_pack
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack
+      @tags ||= tags_for_upload_pack.map do |ref|
+        OpenStruct.new(
+          name: ref.name,
+          tag_sha: ref.ref_sha,
+          commit_sha: ref.commit_sha
+        )
+      end
+    end
+
+    def tags_for_upload_pack
+      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+    end
+
+    def refs_for_upload_pack
+      @refs_for_upload_pack ||= parse_refs_for_upload_pack
     end
 
     def ref_names
@@ -102,22 +116,6 @@ def fetch_raw_upload_pack_with_git_for(uri)
       end
     end
 
-    def tags_for_upload_pack
-      refs_for_upload_pack.
-        select { |ref| ref.ref_type == :tag }.
-        map do |ref|
-          OpenStruct.new(
-            name: ref.name,
-            tag_sha: ref.ref_sha,
-            commit_sha: ref.commit_sha
-          )
-        end
-    end
-
-    def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
-    end
-
     def parse_refs_for_upload_pack
       peeled_lines = []
 

diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -95,7 +95,7 @@ def latest_version_tag
         @latest_version_tag ||= begin
           return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
 
-          latest_tags = git_commit_checker.local_tags_for_latest_version_commit_sha
+          latest_tags = git_commit_checker.local_refs_for_latest_version_commit_sha
 
           # Find the latest version with the same precision as the pinned version.
           current_precision = precision(dependency.version)

diff --git a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
@@ -284,6 +284,15 @@
       end
     end
 
+    context "given a dependency that uses branches to track major releases" do
+      let(:upload_pack_fixture) { "run-vcpkg" }
+
+      context "using the major version" do
+        let(:reference) { "v7" }
+        it { is_expected.to eq(Dependabot::GithubActions::Version.new("10")) }
+      end
+    end
+
     context "given a dependency with a tag reference when an update with the same precision is not available" do
       let(:latest_versions) { [] }
 
@@ -296,7 +305,7 @@
         end
 
         checker.instance_variable_set(:@git_commit_checker, git_commit_checker)
-        allow(git_commit_checker).to receive(:local_tags_for_latest_version_commit_sha).and_return(version_tags)
+        allow(git_commit_checker).to receive(:local_refs_for_latest_version_commit_sha).and_return(version_tags)
       end
 
       context "using the major version" do

diff --git a/github_actions/spec/fixtures/git/upload_packs/run-vcpkg b/github_actions/spec/fixtures/git/upload_packs/run-vcpkg