Fix github_actions pinned to specific refs being downgraded

After fixing the previous crash, I noticed that we were actually cloning
the _repository_ being updated (the one that includes the workflow
files), not the repository of the dependency being updated (the
repository of the action itself).

I have no idea how this somewhat seemed to work in some cases before.

github_actions/lib/dependabot/github_actions.rb

@@ -22,6 +22,3 @@
 require "dependabot/dependency"
 Dependabot::Dependency.
   register_production_check("github_actions", ->(_) { true })
-
-require "dependabot/utils"
-Dependabot::Utils.register_always_clone("github_actions")

github_actions/lib/dependabot/github_actions/update_checker.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "dependabot/file_fetchers/base"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
 require "dependabot/errors"
@@ -83,12 +84,21 @@ def fetch_latest_version_for_git_dependency
       end
 
       def latest_commit_for_pinned_ref
-        @latest_commit_for_pinned_ref ||=
-          SharedHelpers.in_a_temporary_repo_directory("/", repo_contents_path) do
-            ref_branch = find_container_branch(current_commit)
+        @latest_commit_for_pinned_ref ||= begin
+          source = Source.from_url(dependency_source_details[:url])
 
-            git_commit_checker.head_commit_for_local_branch(ref_branch)
+          SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
+            repo_contents_path = File.join(temp_dir, File.basename(source.repo))
+            fetcher = FileFetchers::Base.new(source: source, credentials: [], repo_contents_path: repo_contents_path)
+            fetcher.clone_repo_contents
+
+            Dir.chdir(repo_contents_path) do
+              ref_branch = find_container_branch(current_commit)
+
+              git_commit_checker.head_commit_for_local_branch(ref_branch)
+            end
           end
+        end
       end
 
       def latest_version_tag
@@ -184,7 +194,7 @@ def shortened_semver_eq?(base, other)
       end
 
       def find_container_branch(sha)
-        SharedHelpers.run_shell_command("git fetch #{current_commit}")
+        SharedHelpers.run_shell_command("git fetch --depth 1 --no-recurse-submodules origin #{sha}")
 
         branches_including_ref = SharedHelpers.run_shell_command("git branch --contains #{sha}").split("\n")
 
@@ -194,7 +204,7 @@ def find_container_branch(sha)
           current_branch.delete_prefix("* ")
         elsif branches_including_ref.size > 1
           # If there are multiple non default branches including the pinned SHA, then it's unclear how we should proceed
-          raise "Multiple ambiguous branches (#{branches_including_ref.join(', ')}) include #{current_commit}!"
+          raise "Multiple ambiguous branches (#{branches_including_ref.join(', ')}) include #{sha}!"
         else
           branches_including_ref.first
         end

github_actions/spec/dependabot/github_actions/update_checker_spec.rb

@@ -392,6 +392,50 @@
       end
     end
 
+    context "given a dependency with a different default branch from the source repository", :vcr do
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: dependency_name,
+          version: dependency_version,
+          requirements: [{
+            requirement: nil,
+            groups: [],
+            file: ".github/workflows/main.yml",
+            source: dependency_source
+          }],
+          package_manager: "github_actions"
+        )
+      end
+      let(:dependency_name) { "cpina/github-action-push-to-another-repository" }
+      let(:dependency_version) { nil }
+      let(:dependency_source) do
+        {
+          type: "git",
+          url: "https://github.com/cpina/github-action-push-to-another-repository",
+          ref: reference,
+          branch: nil
+        }
+      end
+
+      let(:latest_commit) { "9e487f29582587eeb4837c0552c886bb0644b6b9" }
+
+      context "when up to date" do
+        let(:reference) { latest_commit }
+
+        it "returns the expected value" do
+          expect(subject).to eq(latest_commit)
+        end
+      end
+
+      context "when out of to date" do
+        let(:reference) { "f4b9c90516ad3bdcfdc6f4fcf8ba937d0bd40465" }
+
+        it "returns the expected value" do
+          expect(subject).to eq(latest_commit)
+        end
+      end
+    end
+
     context "that is a git commit SHA not pointing to the tip of a branch" do
       let(:reference) { "1c24df3" }
       let(:exit_status) { double(success?: true) }
@@ -401,7 +445,15 @@
         allow(git_commit_checker).to receive(:branch_or_ref_in_release?).and_return(false)
         allow(git_commit_checker).to receive(:head_commit_for_current_branch).and_return(reference)
 
-        allow(Open3).to receive(:capture2e).with(anything, "git fetch #{reference}").and_return(["", exit_status])
+        allow(Dependabot::SharedHelpers).to receive(:configure_git_to_use_https_with_credentials)
+
+        allow(Open3).to receive(:capture2e).
+          with(anything, %r{git clone --no-tags --depth 1 --no-recurse-submodules https://github\.com/actions/setup-node}).
+          and_return(["", exit_status])
+
+        allow(Open3).to receive(:capture2e).
+          with(anything, "git fetch --depth 1 --no-recurse-submodules origin #{reference}").
+          and_return(["", exit_status])
       end
 
       context "and it's in the current (default) branch" do