Fix github actions cooldown bypass for SHA-pinned refs

[albrektsson]

What are you trying to accomplish?

Fix a cooldown bypass for GitHub Actions dependencies pinned to commit SHAs that do not resolve to a semver version.

For SHA-pinned actions, cooldown could filter out the newest candidate while the ref update path still proposed a new commit. As a result, Dependabot could still treat the dependency as updateable even though it should have been held back by cooldown.

This change makes updated_ref honor the cooldown-filtered result before proposing a new ref.

Anything you want to highlight for special attention from reviewers?

The fix is placed in updated_ref, since that is the method responsible for deciding whether a ref update should be proposed.

How will you know you've accomplished your goal?

I added a regression spec, does not suggest an update when the latest commit is within the cooldown window, covering a SHA-pinned GitHub Action with cooldown enabled. The test fails without the fix and passes with it.

I also ran the full github_actions test suite:

• bundle exec rspec
• 233 examples, 0 failures

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Fixes a cooldown bypass in the github_actions ecosystem where SHA-pinned GitHub Actions could still propose a ref update even when the newest candidate was filtered out by release cooldown.

Changes:

• Update UpdateChecker#updated_ref to honor the cooldown-filtered latest_version result before proposing an updated commit SHA.
• Add a regression spec ensuring can_update? is false when the latest commit falls within the cooldown window for SHA-pinned actions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
github_actions/lib/dependabot/github_actions/update_checker.rb	Ensures SHA ref updates are blocked when cooldown would keep the dependency at the pinned SHA.
github_actions/spec/dependabot/github_actions/update_checker_spec.rb	Adds regression coverage for the cooldown + SHA-pinned can_update? behavior.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[albrektsson]

The bug we saw in a dependabot workflow:
updater | 2026/04/08 04:02:57 INFO <job_1312506416> Days since release : 0 (cooldown days 3) 2026/04/08 04:02:57 INFO <job_1312506416> Filtered out (cooldown) nais/docker-build-push, 45d352fb62fb52ccb5ff6cba22c047fa02b35321

but then at the end of said job:

| created | nais/docker-build-push ( from 078e460885ed0424b60d45ce9220b4be1748be9d to 45d352fb62fb52ccb5ff6cba22c047fa02b35321 ) |