diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
index 6b9b5e40c5..a44d0e16ee 100644
--- a/github_actions/lib/dependabot/github_actions/update_checker.rb
+++ b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -156,16 +156,28 @@ def updated_ref(source)
           return new_tag.fetch(:tag)
         end
 
-        # Return the pinned git commit if one is available
-        if source_git_commit_checker.pinned_ref_looks_like_commit_sha? &&
-           (new_commit_sha = latest_commit_sha(source_git_commit_checker))
-          return new_commit_sha
+        if source_git_commit_checker.pinned_ref_looks_like_commit_sha?
+          return updated_pinned_commit_sha_respecting_cooldown(source, source_git_commit_checker)
         end
 
         # Otherwise we can't update the ref
         nil
       end
 
+      sig do
+        params(
+          source: T.nilable(T::Hash[Symbol, String]),
+          source_checker: Dependabot::GitCommitChecker
+        ).returns(T.nilable(String))
+      end
+      def updated_pinned_commit_sha_respecting_cooldown(source, source_checker)
+        cooled_down_version = latest_version
+        pinned_ref = source&.fetch(:ref)
+        return nil if cooled_down_version.is_a?(String) && cooled_down_version == pinned_ref
+
+        latest_commit_sha(source_checker)
+      end
+
       sig { params(source_checker: Dependabot::GitCommitChecker).returns(T.nilable(String)) }
       def latest_commit_sha(source_checker)
         new_tag = T.must(latest_version_finder).latest_version_tag
diff --git a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
index 5159ea677a..f2cc004979 100644
--- a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
+++ b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
@@ -235,6 +235,26 @@
         end
       end
     end
+
+    context "when pinned to an out of date commit in the default branch with cooldown enabled" do
+      let(:upload_pack_fixture) { "github-action-push-to-another-repository" }
+      let(:dependency_name) { "dependabot-fixtures/github-action-push-to-another-repository" }
+      let(:dependency_version) { nil }
+      let(:reference) { "f4b9c90516ad3bdcfdc6f4fcf8ba937d0bd40465" }
+      let(:update_cooldown) do
+        Dependabot::Package::ReleaseCooldownOptions.new(default_days: 90)
+      end
+
+      before do
+        allow(Time).to receive(:now).and_return(Time.parse("2022-09-07 23:33:35 +0100"))
+        allow(Dependabot::Experiments).to receive(:enabled?)
+          .with(:enable_shared_helpers_command_timeout).and_return(true)
+      end
+
+      it "does not suggest an update when the latest commit is within the cooldown window" do
+        expect(can_update).to be_falsey
+      end
+    end
   end
 
   describe "#latest_version" do