From 02c35dcd283570987fd5e46b6e75788f8e4ddf02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Mon, 24 Oct 2022 12:30:40 +0200
Subject: [PATCH 1/4] Reuse `version_tag?` helper method

---
 common/lib/dependabot/git_commit_checker.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
index 29e796ed34..12bd9c2fc7 100644
--- a/common/lib/dependabot/git_commit_checker.rb
+++ b/common/lib/dependabot/git_commit_checker.rb
@@ -62,7 +62,7 @@ def pinned?
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      dependency_source_details.fetch(:ref).match?(VERSION_REGEX)
+      version_tag?(dependency_source_details.fetch(:ref))
     end
 
     def pinned_ref_looks_like_commit_sha?

From 06debc96af50d978bbda248a46547f151a4267d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Tue, 15 Nov 2022 16:59:40 +0100
Subject: [PATCH 2/4] Move some common logic around

---
 common/lib/dependabot/git_commit_checker.rb | 41 +++++++++------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
index 12bd9c2fc7..4a4420ab5e 100644
--- a/common/lib/dependabot/git_commit_checker.rb
+++ b/common/lib/dependabot/git_commit_checker.rb
@@ -101,33 +101,11 @@ def head_commit_for_local_branch(name)
     end
 
     def local_tag_for_latest_version_matching_existing_precision
-      max_tag = max_version_tag_for_current_precision(allowed_version_tags)
-
-      return unless max_tag
-
-      to_local_tag(max_tag)
+      max_local_tag_for_current_precision(allowed_version_tags)
     end
 
     def local_tag_for_latest_version
-      max_tag = max_version_tag(allowed_version_tags)
-
-      return unless max_tag
-
-      to_local_tag(max_tag)
-    end
-
-    def max_version_tag(tags)
-      tags.
-        max_by do |t|
-        version_from_tag(t)
-      end
-    end
-
-    def max_version_tag_for_current_precision(tags)
-      current_precision = precision(dependency.version)
-
-      # Find the latest version with the same precision as the pinned version.
-      max_version_tag(tags.select { |tag| precision(scan_version(tag.name)) == current_precision })
+      max_local_tag(allowed_version_tags)
     end
 
     def allowed_version_tags
@@ -184,6 +162,19 @@ def git_repo_reachable?
 
     attr_reader :dependency, :credentials, :ignored_versions
 
+    def max_local_tag_for_current_precision(tags)
+      current_precision = precision(dependency.version)
+
+      # Find the latest version with the same precision as the pinned version.
+      max_local_tag(tags.select { |tag| precision(scan_version(tag.name)) == current_precision })
+    end
+
+    def max_local_tag(tags)
+      max_version_tag = tags.max_by { |t| version_from_tag(t) }
+
+      to_local_tag(max_version_tag)
+    end
+
     def precision(version)
       version.split(".").length
     end
@@ -332,6 +323,8 @@ def matches_existing_prefix?(tag)
     end
 
     def to_local_tag(tag)
+      return unless tag
+
       version = version_from_tag(tag)
       {
         tag: tag.name,

From 57e1eac556558330b94bf349e6f80ec1dab0aff0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Sat, 22 Oct 2022 20:04:12 +0200
Subject: [PATCH 3/4] Fix actions pinned to branches not being bumped

There were two issues:

* Not correctly detecting whether the action is pinned, when pinned to a
  major version branch, like "v7" in https://github.com/lukka/run-vcpkg.

* Not correctly finding update candidates when pinned to a major version
  branch. In this case, the update candidates should include another
  major version branches, like "v10", but branches were being completely
  ignored as potential update candidates.
---
 common/lib/dependabot/git_commit_checker.rb   |  50 +++++++----
 common/lib/dependabot/git_metadata_fetcher.rb |  32 ++++---
 .../dependabot/git_commit_checker_spec.rb     |  85 ++++++++++++++++++
 .../spec/fixtures/git/upload_packs/run-vcpkg  | Bin 0 -> 8649 bytes
 .../github_actions/update_checker.rb          |   2 +-
 .../github_actions/update_checker_spec.rb     |   9 ++
 .../spec/fixtures/git/upload_packs/run-vcpkg  | Bin 0 -> 8451 bytes
 7 files changed, 144 insertions(+), 34 deletions(-)
 create mode 100644 common/spec/fixtures/git/upload_packs/run-vcpkg
 create mode 100644 github_actions/spec/fixtures/git/upload_packs/run-vcpkg

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
index 4a4420ab5e..f24826ca7a 100644
--- a/common/lib/dependabot/git_commit_checker.rb
+++ b/common/lib/dependabot/git_commit_checker.rb
@@ -52,11 +52,11 @@ def pinned?
       # If the specified `ref` is actually a tag, we're pinned
       return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
 
-      # If the specified `ref` is actually a branch, we're NOT pinned
-      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # Assume we're pinned unless the specified `ref` is actually a branch
+      return true unless local_upload_pack.match?(%r{ refs/heads/#{ref}$})
 
-      # Otherwise, assume we're pinned
-      true
+      # If the specified `ref` is actually a branch, we're pinned if the branch looks like a version
+      version_tag?(ref)
     end
 
     def pinned_ref_looks_like_version?
@@ -104,22 +104,20 @@ def local_tag_for_latest_version_matching_existing_precision
       max_local_tag_for_current_precision(allowed_version_tags)
     end
 
+    def local_ref_for_latest_version_matching_existing_precision
+      max_local_tag_for_current_precision(allowed_version_refs)
+    end
+
     def local_tag_for_latest_version
       max_local_tag(allowed_version_tags)
     end
 
     def allowed_version_tags
-      tags =
-        local_tags.
-        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
-      filtered = tags.
-                 reject { |t| tag_included_in_ignore_requirements?(t) }
-      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
-        raise Dependabot::AllVersionsIgnored
-      end
+      allowed_versions(local_tags)
+    end
 
-      filtered.
-        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    def allowed_version_refs
+      allowed_versions(local_refs)
     end
 
     def current_version
@@ -179,6 +177,20 @@ def precision(version)
       version.split(".").length
     end
 
+    def allowed_versions(local_tags)
+      tags =
+        local_tags.
+        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
+      filtered = tags.
+                 reject { |t| tag_included_in_ignore_requirements?(t) }
+      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
+        raise Dependabot::AllVersionsIgnored
+      end
+
+      filtered.
+        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    end
+
     def pinned_ref_in_release?(version)
       raise "Not a git dependency!" unless git_dependency?
 
@@ -217,9 +229,15 @@ def local_upload_pack
       local_repo_git_metadata_fetcher.upload_pack
     end
 
+    def local_refs
+      handle_tag_prefix(local_repo_git_metadata_fetcher.refs_for_upload_pack)
+    end
+
     def local_tags
-      tags = local_repo_git_metadata_fetcher.tags
+      handle_tag_prefix(local_repo_git_metadata_fetcher.tags_for_upload_pack)
+    end
 
+    def handle_tag_prefix(tags)
       if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
         tags = tags.map do |tag|
           tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
@@ -330,7 +348,7 @@ def to_local_tag(tag)
         tag: tag.name,
         version: version,
         commit_sha: tag.commit_sha,
-        tag_sha: tag.tag_sha
+        tag_sha: tag.ref_sha
       }
     end
 
diff --git a/common/lib/dependabot/git_metadata_fetcher.rb b/common/lib/dependabot/git_metadata_fetcher.rb
index f34f314afc..87c519bcec 100644
--- a/common/lib/dependabot/git_metadata_fetcher.rb
+++ b/common/lib/dependabot/git_metadata_fetcher.rb
@@ -22,7 +22,21 @@ def upload_pack
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack
+      @tags ||= tags_for_upload_pack.map do |ref|
+        OpenStruct.new(
+          name: ref.name,
+          tag_sha: ref.ref_sha,
+          commit_sha: ref.commit_sha
+        )
+      end
+    end
+
+    def tags_for_upload_pack
+      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+    end
+
+    def refs_for_upload_pack
+      @refs_for_upload_pack ||= parse_refs_for_upload_pack
     end
 
     def ref_names
@@ -108,22 +122,6 @@ def fetch_raw_upload_pack_with_git_for(uri)
       end
     end
 
-    def tags_for_upload_pack
-      refs_for_upload_pack.
-        select { |ref| ref.ref_type == :tag }.
-        map do |ref|
-          OpenStruct.new(
-            name: ref.name,
-            tag_sha: ref.ref_sha,
-            commit_sha: ref.commit_sha
-          )
-        end
-    end
-
-    def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
-    end
-
     def parse_refs_for_upload_pack
       peeled_lines = []
 
diff --git a/common/spec/dependabot/git_commit_checker_spec.rb b/common/spec/dependabot/git_commit_checker_spec.rb
index ef81b9c3c2..35ffe3a867 100644
--- a/common/spec/dependabot/git_commit_checker_spec.rb
+++ b/common/spec/dependabot/git_commit_checker_spec.rb
@@ -1145,6 +1145,91 @@
     end
   end
 
+  describe "#local_ref_for_latest_version_matching_existing_precision" do
+    subject { checker.local_ref_for_latest_version_matching_existing_precision }
+    let(:repo_url) { "https://github.com/gocardless/business.git" }
+    let(:service_pack_url) { repo_url + "/info/refs?service=git-upload-pack" }
+    before do
+      stub_request(:get, service_pack_url).
+        to_return(
+          status: 200,
+          body: fixture("git", "upload_packs", upload_pack_fixture),
+          headers: {
+            "content-type" => "application/x-git-upload-pack-advertisement"
+          }
+        )
+    end
+
+    context "with no tags, nor version branches" do
+      let(:upload_pack_fixture) { "no_tags" }
+      it { is_expected.to be_nil }
+    end
+
+    context "with no version tags nor version branches" do
+      let(:upload_pack_fixture) { "no_versions" }
+      it { is_expected.to be_nil }
+    end
+
+    context "with version tags, and some version branches not matching pinned schema" do
+      let(:upload_pack_fixture) { "actions-checkout" }
+      let(:version) { "1.1.1" }
+
+      let(:source) do
+        {
+          type: "git",
+          url: "https://github.com/gocardless/business",
+          branch: "master",
+          ref: "v#{version}"
+        }
+      end
+
+      let(:latest_patch) do
+        {
+          commit_sha: "5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f",
+          tag: "v2.3.4",
+          tag_sha: anything,
+          version: anything
+        }
+      end
+
+      it { is_expected.to match(latest_patch) }
+    end
+
+    context "with tags for minor versions and branches for major versions" do
+      let(:upload_pack_fixture) { "run-vcpkg" }
+
+      context "when pinned to a major" do
+        let(:version) { "7" }
+
+        let(:latest_major_branch) do
+          {
+            commit_sha: "831e6cd560cc8688a4967c5766e4215afbd196d9",
+            tag: "v10",
+            tag_sha: anything,
+            version: anything
+          }
+        end
+
+        it { is_expected.to match(latest_major_branch) }
+      end
+
+      context "when pinned to a minor" do
+        let(:version) { "7.0" }
+
+        let(:latest_minor_tag) do
+          {
+            commit_sha: "831e6cd560cc8688a4967c5766e4215afbd196d9",
+            tag: "v10.6",
+            tag_sha: anything,
+            version: anything
+          }
+        end
+
+        it { is_expected.to match(latest_minor_tag) }
+      end
+    end
+  end
+
   describe "#local_tag_for_pinned_version" do
     subject { checker.local_tag_for_pinned_version }
 
diff --git a/common/spec/fixtures/git/upload_packs/run-vcpkg b/common/spec/fixtures/git/upload_packs/run-vcpkg
new file mode 100644
index 0000000000000000000000000000000000000000..81b8f0e5f2e351eeaa27f9e0faa0c4dad39d5ea0
GIT binary patch
literal 8649
zcmbW6-ELjEk%i|vPa$Bg)h1c|4bT?@BtYK6;7`$3B1?uPJILGT<2n0C+?|_f(g<31
zt2W7E)mp0-jj{T_cQ5+m*F)FezdXF&|NQ>=T*v+Q+W+w<v;Jp;&tf(95u)im$DFG#
zG4+sQRPSu4vkhC~D0hGR>;L`bf4=>Ee0}&#{N3x<ho{Sz?p_{--naTR-haA}{vUVG
z^W}c%<7>Tp`C1<zpZ|F`RKM%f{ma8s*V`YSo?mZ2{?Nzz`tVEdo}TZ&|9JlLLtkF*
z_}#~!Ebv;t+`X;-dFX3>c+_!s`SAVg!}og@vG?rhpY`eW`0F29``6kY_52_C{CIxS
zyO)1``=Rsqb+AA4!^@|yTF1+$Z}s8nZazG|>W{nU_IK^C_w)J3xBB|~TH>yL(Wlpy
z&QJXR>(6%oCD@TeE=`IEdG(rNvawEIV~H*YZ*p?#s_8Yy8YLDhCN(j4+p0r<eQH0y
zeJ8oE56@38pZoI<U0;jM#u#d_t<1*1lE|oCy)pdMv&=F*clMuO`;|UFJrA{UeMP!Y
zMRV+8U5lnj_9?34q9sq~U5(k~KK$7C^!MlX`Q^2~{(RvRGXCpQ*^af6xq_P+sk&)3
zdyTdAIZZUGMygkxsn^!p3_jL<{a@x18jUHglo^v|OPMxPvUpQR9o~@L+NTx`atgI8
zl=S?U)xB-`m%S{jJ#@C3hDPNlR;(_}G(u>xyI`tIp~fWcysY`{vU2m*hLGxT-Ns~u
z9`h=GsL#Z!OFoq9Q=6w~cR4S=Sc084_Y|zj(%l^0mO?FPow+q)o9H=oRi3ojotN2F
zj5mFlX>#Z#88(w=_C;ImP0Ki^%3nf938ohxy@?};#Mx8wBGZM~vz1o-6fpq7o~m#O
zbtY8bhEiE$%;Ige#?2OtIHT3pN@HXv=T%o(N(+Hvo>Zk~wRxn`LbOrEg`q*6b-p<>
zq@7kxgnBb#OSwl;YMdMk=+da8Fk7~3)2%t6E2L}a_n(iCpRAEflV9Q~qR=w8;Af~#
zT9g1J)<mU^CQ?&umA<v7c>f+h$!#pkU6Q()n%dxG1hwAvJhE}VOOu*U@!>r_<PfF=
zPDwEpJ4?5|G&@olBRJAM#7MGwijTK=nK@b)ouoM9>H{;Y#?Ux<%x;P?(>F4&r}gbE
z9QYW83ogDk0AE$6pM7xfSX@&HK&K^#_9*Xb`mA}6FLn`wEhAcz?tLw@n_+utd3rSf
zRCDUfQ7=dQwth_6(Hy}<Kc<<nx<L+`&C!iM<^(w_6?7EM5%0G3CH9$nwb?4Q4h)uc
z3}X|kOLZ}kLhn!4XSeGQ!Ekkkx|3N&O$$8-5)#wMlt3x2(zoI0vSa<X^izH^Tj?Qd
z1p_!J8!<J^F<fR>eM(6nTsW_vZ~K=?otBunvREzO01#WCf=7=ar1V-dG~%4!uYWs!
zh=U9Xgpz@B->v1ebW@)`B@kV#;bP)x`)<3w#`!YX5CDGiJV$~~ikm6h=;(n|7LKIT
z^}DV56P3153WOrt)!JEWssY5ZN;X3DHrn=w^|$mzy3>KLKn!r+`veT&x{zr-@QeS-
zcTGC@=$d|)Zs`N0vQc4)kW-fuO)6v*z$&dJ04#YoT5UIUKH|$Qp1TVa9VOh<YY3}{
zOslJ46sn}8B!Mp`pVr^1M`&`mfZKwat7Ma4D5_6TP%Y<_4CSj5_uG>#o^2My7ZpEd
zDgltE=V4^pQrW|V)DlYJy!@7aAWCB?*>@#L>k}hTI}K*#GtCy00s3^{=JoiprO(GS
z(GhClwq~?*?bhkAz>ju_E)GseBcArZrLSb|9o=I9SX$j%Eum3RYFw8z0c0=i?F7Et
z_5sSSHYLkaHko1!nC*O>O7i*wP-j*d@5}oQJ8OXNwX@~L%KWQ=IuZ0rU;-DBsN+0m
zIK^+(*Gh5#T^PkQ`VO?uNH{Ci3MA&N(cz`G^Y*vnhk#(|D58XB$|$Sm2VXD&MDCss
zG&s+qPcLM7P5-uidd0-bjm=r$i|TuHaU?irc*KzLwVP1lsrSQHJ*M)j-uEIA60o&o
zR^$^fR<$!Z0|5z)a$0^nez52zeqRkR2TBO71l1UdvStTk2ledi5M$Tv#|^uo=?TU6
zE`vPrCln3HiOgk$FsMlMFD-n+?zmll17m{+^QpdqwgTyNAW8uO=!`Fqs7gof`;S}x
z26?ZhPD}B1NZlDU5i|;i6-NWnMUKBboj-2p|Cppc&cAif#{~Wnzm<<)<x_e>^9p=z
zvx7F$>{Vxs4hb}B^R&W#{<r02n$T=TJ8^q->68v%F?8fyf+B_Ch3qq^yoc}1gNzf<
z-%Zo$Ql`D;8rmGpGDI4egnKb3?0Db2=7PGJ)np3P(!Dh}xSM|N0i_(_k={_rd+)sQ
z7F0VCqM@*k>xBg!3P=!67Vt_=xYJx9<6ZT*x5`8GWN<zvv}oyNSZxqz2LGX)*gQR8
znuSSs+H-FgPv&w$kUA5EO6kK{Az5~D`0VsFlBXf1@{SwsJ#$)IcT07|0JubEC~%4<
zFq+mJ)nP2ONXUENzI82h%9aJ4$?EJrGY&yOXe~&mIaUsuibJ<=*Cua_EkH$(WB^9*
zLO`5@e@ysQ9g-ah7Q>8_32AS-cgBJ6e6z^em>KFJ3<SMRor!dkI}ZYQ#A-@q?>TvE
zS;hdBA%np+<O=o!kP3E!Lmmx)bWdX-M*5C;vL!wY77Kg;&4+TI%A~UP9kuZ>R4my`
zCGBeIovuh-???r<2`z9_v-?^pF^UZlj^JUc8c50g-efCTWO5#b;Q-5H$u#!K9ZDvJ
zwJ_}fcZF~4XWx$AM<ouC2gr3MoRkHj4ddD}C&Nczd@;z_?cV%$Z%idiW}%Harl-f-
zgt=i_VJc!ca|i~RX)js7S3F3_7;7TJ)Kx8_j5}H38?u2y>K5!|#N1ck`b{k)lRKqv
zDYEHc8n~syneZRN5ei2<^c^bSiI%EC$+CZha<L4=RJp+G_y&c!-KQLVZmEnNYQnbp
z1W2>Yq`Zm)rzC-J7xw|jf&m85U^jLLy6_Hka00n^DKDYLwk2}y40R~miPS*=qS)<O
z<ZU&#h@76DD7vZ6Ij!g-W*k={*gF_;0bA$xqsJ|CQoyu9i;RxC4-6LAIdM)LGA+|~
z38aoWYfJn)M=_pH#3eI;V>AxU_Xg~R%G5>en8DCMv!VO;s(C*-S~ib3fN18RN`s~u
za(8t!6tW_(5G<tiHjQ5xCT)4AuDxZxD`FaG%_TF#8^-b!g6%LPtu}#>ZSQGAs{c>;
z)-WUZv`{utJr#LWm1&{i`T%t(Bc<&o9@yUO>5bh1y2dtjgy}3gKOhSNW?6NOKXM(o
zL~Szq>^PY=kT!uYSj?em!KRM=FbY>DXcU8P@qM6d82Glczei7qxAN;V8`E(?7>kg(
za1N|8LctB0x$=cwndU9=wn&gJ9&UE<3ld8fM7Sljg>ekm%~n3OFTT|rMnXh-LaI5@
zl#rp0QVj@;sAbGAlpM-+zqkC3a}!W!XrOISa*k<oWJ<8F?-<O1RdI!3@1*L>hE&-%
z+SH?bm#T&1yk;5*jSJIY8KMx>v;S@LWjnjWEi-hRSjKT>J_F%a(*ciIDyEg;0_eS`
zu54%T5Wg@%SB|`fI^-?9j#OhH0A`Y<r;^0IYRXo##<`Wd&RFR^fY-?(jsz1{EZi5g
z4$=b}`{uWr1>I*ETsxz;=lT|QfUNK`ZVVMe^Au#y-mYcqSDYdMu24C{dR9$10nwvz
zCs&4)hwUiZeoEbY)%6LAF}+Z<r37ceY;wqk@@fL?Syv}OWe<MC3xE0a%lvlnDSJc+
z4dy;3F%P-T%=8Apv>~*e^=o5vggx?hi@ms%<72MuTkLgVyd{P`GLHUf4AKK6Puiq`
zP|!Wz8$?sb0q(cpi^qw6FdoealQAt~TGFHzHSBOz`W!w99Ekz;hXY?s&YqABi#q@n
z%uvUzVS21-6dAJIEI0}i<z~Fy*1fo#eT_}{eGzUz!E~m`&Jc}m4Wu6}iuZ$yqz5P5
zVlOr)^e1gN{7pr?Q7Gt4$JrTxV(ST<M}sS7>$Speu@|2cV|8_M)?ge$4WW*XDrssh
zh5^u^&AKR(>>Rs{PRJ{vFR6yfWQXMS36lh5K(%nUxImRwSx)FVHeX_4YGs;3_o6&F
z9+DqxAVEy1Esg;*Qzm)<%5Bf(5}Rypw4~2CB{;n7ZdC7ZBpV*~#AP&04uH$Pu04vf
zGZZYK1Fx4ofMzQ&4^I^X=Ys*y_N*!0%+>3<_G+D@4?PYb=z&?DuwgJMnXRQNj*7=d
zu9yrH-Fja4T36U0R0llEe4=$FncP^e2jK}B!bp`XyMh00-D_Qa?498jd#S6jK8oKy
zFwbLL=|VIt3y2{+pq$DYcxUaW+OS6lkB_}H919;04Lna^LL!a9I!t3;Y1T6nOof+j
zN<+0E8}M@v)O`!Sq-zYca7+!<AU*gWyqI*RvoZw}AJxl5LcykEmU|1n<O}Z${fQn#
z{s+P9T(2+<Cy*}*?+uChp1+RADEAh8O_=z|Q_y5?^?@m75ud>_Wq@R;06`gnQD5-{
z9whA2i64B4dRzJ0iiqA8i?KY^(G~Q6$2;^5-y=+<g=e6ED%%Nq+)>t4WH*R|MF#u>
zgzzF)FnbNeK8kSp_;2IX#_lNVkG%+8H|>7AmbG$Apaw#a7Yfu3V-FtDaxpV66v$!h
z(jM*Up5)jwRyc~=^2Cd2w5o*!FvqOxvJ>Ruv}-s#wXqy~MsVU{$(rs^pdO<Da<{yh
zEUrekGgmF6@ei@rJ%8*O>v~@K?b?dWXiTH{kxa|A@Y1)$4|l^80bUm)16s@vb2_g-
z&ik=9u<N@1IPb?E!LG64SXU6_W%+5iTS$Ih&--$NnH85&iE3kF;yvJ$t9ZL34obW6
z{^>3S<{Pi^yaDjM#E66`M<9aa)Wq?&XXEgok$L?3pn)gPA4t!D=E*QDx~ud0oKLxm
zM_qmF<?edkc-&F%>pixO?3pd;1?<;`pE9eZykyGqSPbso4%6wDtH{ufUcky(191g6
zu|u&SkrV47(M1bn-RAl0y6IMv2plXF9;nDKh9eI?^fE@yf-o$62kauXkMZCZd#%aR
z5yA^%7y>O#Z?O;Xz@!#TH-r9VHgu%!yyt68ve9aJ4lX=<@d}GUjvz%a<F-SE;20i*
W#f&<~US-F}o;h!OUSMa;pZ*Q`AEXBW

literal 0
HcmV?d00001

diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
index 1c157329cd..4568ea3fc4 100644
--- a/github_actions/lib/dependabot/github_actions/update_checker.rb
+++ b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -110,7 +110,7 @@ def latest_version_tag
         @latest_version_tag ||= begin
           return git_commit_checker.local_tag_for_latest_version if dependency.version.nil?
 
-          git_commit_checker.local_tag_for_latest_version_matching_existing_precision
+          git_commit_checker.local_ref_for_latest_version_matching_existing_precision
         end
       end
 
diff --git a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
index 82145493a1..ea68a34ac5 100644
--- a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
+++ b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
@@ -304,6 +304,15 @@
       end
     end
 
+    context "given a dependency that uses branches to track major releases" do
+      let(:upload_pack_fixture) { "run-vcpkg" }
+
+      context "using the major version" do
+        let(:reference) { "v7" }
+        it { is_expected.to eq(Dependabot::GithubActions::Version.new("10")) }
+      end
+    end
+
     context "given a dependency with a tag reference and a branch similar to the tag" do
       let(:upload_pack_fixture) { "download-artifact" }
       let(:reference) { "v2" }
diff --git a/github_actions/spec/fixtures/git/upload_packs/run-vcpkg b/github_actions/spec/fixtures/git/upload_packs/run-vcpkg
new file mode 100644
index 0000000000000000000000000000000000000000..7cf1b23bf0ce4aaede9e64f07aa345baea328224
GIT binary patch
literal 8451
zcmbW6+iqRCl|}nGUm+mRDwABi2B?Ps-9Z0EftN*Fi7XkC?4bWXgXiocao1DS2?`~<
z#7%Nt=A3KN7^{E1d)1d;4_$x%`tWxD^T*?J9rr(K|L0%K`kxIx<gQbt#8N^l!}=Vu
zOJS(iG-T?mZA8ue?tlO1@BjT@-+w;7J^aD?ySHx-PnR#<y*>=RZ}n+>{B$4vKkuIB
z>;2Hjw|e*btv)_J|LcyA{?MoU*N3OBw?8~RzukU((Z~As@JsKWp6`FWJb!)B*Vj9K
z_wgqiyw$IF@4Npo^sPQT>bSdn`2OwT$32_ad(QN)`t)}E^^4a2t+q!!|3^MQo}cvY
z_5Z%V==^<M>~H+=`sJI}@%rU^eR#T?507v9a`)W+q5bWCKEHggZ@;fC?&?>4dRyWA
z!av`Bw)?NM<Wy_%qA?LyADfLa)L>hgjejMPQM-C$_^D@^WqMztn7eJ)p})TTN`E{(
z54CZ9MY>N#bL?VWi>65SDXQxsNuJKT8nelL__2TGAJ6TN*SGri^OaA?_>Ysj9b{d9
zEpBF{>ZaA~HP+VWG|{LUsa|!aUR!H3_*nP-f0@hDXiRaX%$PJ=(|a=|i#K)D;Z5L&
zKDB6&(^9*ZcJYx7=hWnb)mp-gMoQ8UTNU3;T%jB>pO;>?)gC%WO+%yd6FXKHW*Q;1
z*j+G{x~?&a`_tOrE;~1GZ3w9j*KJIOWOlFOhtd&^z;m8beQNWx+FkC;FP31Z%{>Kc
zvUE2`x1~@ET4!#JwN3QAR4z+rcV1>!G2ZlHrpcj~WH?No*%xiKH!b5FDt}ozN-(|n
z=m|;?iL<BVMWzd}XDhAvDPl%B9XMQ;IuojIL#eDWX7RRK<7Nv+oY88jW|8dVyz44U
zX}$6b#JJcJx!Mrwem3g4+00^2kcXZ5y!6r+X2h0qkD}B#F&6NE&$TdHw(HQXxnWC4
z*8~6f`S|$78o9J3Tl-Z+p=Gk*XQ)nElmLj;M5T=;QWG_joZ8cR|FM1&+gOxb61th1
z+TdsswchnSvT?pklX}$Fv48kjA94s&LeN!A#m>^LFU=0%as)@XhZsp#Py5H)dYL&|
z7oDUy<LU!5tH#i{dCYE#G1E69uc!U(Z8`8U3JEU0wnAg6Oh5bJ;<31<5&%0(4DC_g
z*W+9BvA$TM8*LfU5_IotncWQAOUu)%0ic>wUygb?)^GdAlpW0xO!Q-#8LJz_khDiP
z`j|7iT&bWV^T&F(?Ju#<+^fx2sdZqGzNYYPVt1)7CPL`_DSdWJe+Y)u8O>b1ikcRB
z4g@5oktu;vT%~Wr(PhW}@8S0bI%}ne4716)C<ie$%rRW%RDA+7AY3@_pKs@vNu8FM
zNm;BQQvwiMpn^w_Af)tKbBf71zo&n@eu#qzNscuG<-S|XZ9^D+`jkL)v4+IN)A8Mw
zzQ+AB*bo4I;yg!!PKui;+vw<lR2Gh;Q~KRj{fSCjC<Q_h?P~3;HPrxOStS}FdK+!~
z)BaodBHii0S0IK??0o_Ta9zl>9{9z7<+~;wd~^-JOSkX=QrW1mMaZe6H%ux-6u2m@
zB>*gWH(G5sbUxOX+j?>rC^|~Gsn-xz51Ce1!6;NoNl5}<Og`<uRgci*Z~@tZnyX}!
zU?{3ja;`1slnmvo68G%Mww_~_;4>9JW-0-Yr{`g0+EO{ggw#@$c;0>sKM<vetn9lI
zr1gmrsGSD0@|k9f$pC$7r~S9^`Isg;LM`0ZjCRs)oem59Xou(`NbG3D)A}uZC2Q{%
zlmlRCb#E2HM?tA^UD5=QJ^ZRC@ZF9NP<FK`S+=st6l1__=j&90*B5{~v&wki-f!4h
z1AMQYBQI9wUk%iWpjQGDNJOHJ^PJ(deyhG#k^|_%D5lYOpnXQETB%kbF=veqFSVVI
zzg<5B1WO;8{RUZtSpDD&CV<G@^MMBESrp|(3SFyjJ3hT)VkKj97Wkt29$g#>&KVvt
zWPI%=lz8g>uvL$#{Hpi8NQ4AzEtwtp1dLVfOwK?+0;8O^->x4ldWqjx1I&RELMuTv
zhN7(5!Pr4PCp*O0_4ska?ljtj;(M1tocI%p2IS1iW%?2onQWwmPuLx|^fxdzcrc&p
zD`+c_P6whCAb`&JGDCvWk^A}M7QaE<tEtmcd>vAE22BKw!ePbHKy;DgFHiT6+x<T$
zsgL`AbPwo&5R2rfQg!IWnT?5YQad$(eMlA*Tr8*j#q{O7zI@dsdq8UHr}TvA6$l%x
z18<~>8k#Y>M*G#~>4iN2@B7O%q1h@3tWs#xDILPn6mu?t@vA@#*=JyRU%pchI!=Ip
zH%+HaQ%5#5#5tg4SZQ1m5@Sx_@lpJm3-V@Glc`Wk`_|wfZyLG>q;iBvdP64f&GSxN
zaP35ihQdCs7dCWAAVE1<&?`A1sky+$yX<lArHAUt0DVk|(b5?(wZWVj0)TU3^E82J
z7AoC&&%I}!$mN9KbS4U=(ucD`u<Ro7*=cGtPeV)P9XQ-a<g~c%mh6ZDbcqa602N(;
zP+fymC$)%?koUyDw=I0ikp-d2?wmd|55Yi)Em)^Hb`F|~L%45glXuD%up&q@AftC7
zpw0n6hVrTo&5j0(3^$VzY45rZ%7O8Gv*_8FZKyB?ir%K)R|Ug3K!8WBrd0N(llPuw
z4p13FVRO9-_=AuNcmhNo5ui4wF;F9YhdkK=9|oHRK7i;$x?=?pNzNU$@iAm9(Mu)m
za!Iy|@4cfHI3~P6re^oGQeqSvDjdbbST)d+d){O#S#)w9h3Np7V(B!_Ne(3w!de)2
zz`MdX_PcLa@1wE~l?TdoMx2xdr48lUGAGkVV5$ZH_N@CYZ;T~NXCaQcrl-f-gu0<x
zVJu=gb0`LxX)js7S3FRdmz+bHx~fH#c_%A`Lo|>`-2$G>m|NBOt>4tbGPzUwmLi)D
zssXq<qzM6{9N}=(L*KFTgK4Q6q%7x0DHjXUQRM=$V;mF)cb{_fxur68s0rKQ6DZ9#
zlkzGKoRS2>UF-)e3nmyqgVWd@=)y<ZAq8UZQeH}nV@o9MOm#@xiPk{@BH8U(<!v>$
zn4F%*km4WboK}PpLyp6rLcKBL0=CZWSC3odq=0FI78xCRADAp+0p(|9kS^19351S8
zYYY4bNioJw)FnfJV>S-W_Xg~R%GgEin8DOQvmyNUs`<D%Vm6OBfM^DxN`t0}{o?9q
zNMuD{p;!p(Z5+Q)RNCTBU3<%bSHv{Xnj|yC8|Ly9g6&Wvtu}#>?d)kos{haOtzky+
zX`yVQdMf&;D&s=I_5tdUM$l)U#me67>7CvIy2deegy}3oKcEXj6AYKeA4vx`QJc&@
zJ5Htzq)p%p7I$b`u&Luej6%u;kzx=oz7M1g6W@0CkJUJojIzEgO7GYp%th#2I0sf4
zp<sv1T=~K-P4gCbTO=&s32t`q3mQunM7X83g?S9y%~n3OZ@$&sa;VUrkZMjeC1j|h
zR0G1IYMJv3C5Lp~^OiqwZUX8|4YUnX&M{7oObPb&9fLctDy}f?on(F4kScqu7w3__
zOV+}1UNa4Z$c1U}3{eQ`IsbO}vfbTbml?WEEc3WBpn-6!>3~N(6@ww{0_eSmu55Sj
z5Wg@&SFXIKI`l2Pj#gtL0A`Y<r;^0IYRXo##<>-{&Rpp|fY*s3mINbKEaVGX2k8Ng
z{qS4Og6^{n($4JdN#DW_kQH9Wj-g^`o`USz+qG={id6)_6)FeUn_UxDK=g=Q{M@DG
zVLOVppF;Ohb$x<jj4u=|&bhN-HZkNtc{Kt4tg92CvIoCmU%!6&Wq!LDl|3Sa27@1?
zn1|eEW_$x+Fw<x|>({~P2z$isw)SFEj?dY$?`y9cV=gi65pncSW0D>qdD12ggo5rd
z-yoVg4sgFMzL=co2jkI<Fd5?_t|d)sQNs>frO)A$z>zp$f4cC+<?IRBu($(I!3}j}
z4cB9hqsWkDXTedpC^zTrw(rH}>}zhq@QZK*3Z^qgcBW`_Yask+QOqA~Bt1Ccw)Wz4
zLVwbR!{AiJ8-;?-bljZ@D7K!!c{I4<wq7gjw)SFl;;gPt&KitEs3FwRQ6)`0X~P6)
z&}Ll}Np@bloKDCqp)aY1$!Le<^$C{*WI(l$TWp|ZWiKoAyf$Cf!qmz*hwepra6KeH
z-avwwP+MFBW~NN^0F>LA%Vlk{xzUn7W0f%LaJo^w!;);6*b|%4FgXA&`@Z%l%Fa-*
zfDXJ~{s5Y-z&yNF46F|(JlnITbaPj)``W8_jz08QfS?C%dBTUmrDV94s#q!>AGzW(
zOmypc-)mjrgHRptEc1!h6=Y&#Ne{vkGK7&TDZ7FHZQpBMeeR**w)Rq2V|^6Eec+zQ
zxWa{KSRN2lctAOoHSx~cPqkr>4j!L-YB)AF*J$xRfeVQ=2J3K*Wl??2Fx5zm)D6{w
zY{1YxQ1^ZDC0t{mg=1=<2I0W~;YF!4os}uL_^4hc5(+jQv)udQOS~|@(4Xi*<bM#%
z&h-q_umbs#@ZgXb@cHX_jB@XbuL1kq)6DzgYbT;xTP(&J2ny4W!3zJ+H@u55Q3sxx
z0Jdu<^l(RIQdHf*?+efQKPbSfTEVb2aPufa{_xPosT18%nV);rxgOg6cCAb$&@?_;
zj#mZ*3X=;y&vGI&uM8+!EYBY8Db#YD89N)%Y)6O~KP%w`fKg;c+)luU+phWU)QNJO
z8O?|jC2K%KM0#d@_}TLAvFH}*&1kgD!auFOp80c6QP=y*Z`W>O%wnL#Q)J++h1a^J
zU&swMKYkUeA35cRIo;PE_x;>E)^%Th-1l=2S=Y7U*jLchWqD#aRH$|jOf5&3ac`N8
z2rq^nJpEIw;w?v9l#byI(_IS8w@x#yCm3j^W2~_dO>yeOcssLk_{b<Vetpn`lP3(+
zV?efKND}GPow|IARXpnIbFXjL`^F<jy{|XbHnL|tq!+MI8<xndmhzG*%O){6bUV_f
zTdX2;H<XVXvu4@~^kHdYBcce_W1x!`)VYo1*L~BiCebLkAUrY=Ura+DZRlmZn1w>v
z@DAieEguU1w)R?+rK4rn11@u%rRgmW05+D?f^TM!u#9(((4EhGtw|30iRZ@Kz6-F7
H`OCinu)l9P

literal 0
HcmV?d00001


From 181abaff4eab94e529236e57e3ac81d339e9e550 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Wed, 16 Nov 2022 15:13:24 +0100
Subject: [PATCH 4/4] Limit change in `GitCommitChecker#pinned?` to Actions

---
 common/lib/dependabot/git_commit_checker.rb               | 8 +++++---
 .../lib/dependabot/github_actions/update_checker.rb       | 3 ++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
index f24826ca7a..ddf4135447 100644
--- a/common/lib/dependabot/git_commit_checker.rb
+++ b/common/lib/dependabot/git_commit_checker.rb
@@ -23,13 +23,15 @@ class GitCommitChecker
 
     def initialize(dependency:, credentials:,
                    ignored_versions: [], raise_on_ignored: false,
-                   requirement_class: nil, version_class: nil)
+                   requirement_class: nil, version_class: nil,
+                   consider_version_branches_pinned: false)
       @dependency = dependency
       @credentials = credentials
       @ignored_versions = ignored_versions
       @raise_on_ignored = raise_on_ignored
       @requirement_class = requirement_class
       @version_class = version_class
+      @consider_version_branches_pinned = consider_version_branches_pinned
     end
 
     def git_dependency?
@@ -55,8 +57,8 @@ def pinned?
       # Assume we're pinned unless the specified `ref` is actually a branch
       return true unless local_upload_pack.match?(%r{ refs/heads/#{ref}$})
 
-      # If the specified `ref` is actually a branch, we're pinned if the branch looks like a version
-      version_tag?(ref)
+      # TODO: Research whether considering branches that look like versions pinned makes sense for all ecosystems
+      @consider_version_branches_pinned && version_tag?(ref)
     end
 
     def pinned_ref_looks_like_version?
diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
index 4568ea3fc4..e1974fe911 100644
--- a/github_actions/lib/dependabot/github_actions/update_checker.rb
+++ b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -176,7 +176,8 @@ def git_commit_checker
           dependency: dependency,
           credentials: credentials,
           ignored_versions: ignored_versions,
-          raise_on_ignored: raise_on_ignored
+          raise_on_ignored: raise_on_ignored,
+          consider_version_branches_pinned: true
         )
       end