Skip to content

Fix github actions cooldown bypass for SHA-pinned refs #14667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
albrektsson wants to merge 3 commits into
base: main
Choose a base branch
from
+36 −4
Open

Fix github actions cooldown bypass for SHA-pinned refs #14667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b85a204
Fix github actions cooldown bypass for SHA-pinned refs
albrektsson Apr 9, 2026
ed96870
Merge origin/main into fix/github-actions-cooldown-bypass
albrektsson Apr 9, 2026
8ef34ce
lintfix: extract cooldown ref update logic from updated_ref
albrektsson Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions github_actions/lib/dependabot/github_actions/update_checker.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,16 +156,28 @@ def updated_ref(source)
return new_tag.fetch(:tag)
end

# Return the pinned git commit if one is available
if source_git_commit_checker.pinned_ref_looks_like_commit_sha? &&
(new_commit_sha = latest_commit_sha(source_git_commit_checker))
return new_commit_sha
if source_git_commit_checker.pinned_ref_looks_like_commit_sha?
return updated_pinned_commit_sha_respecting_cooldown(source, source_git_commit_checker)
end

# Otherwise we can't update the ref
nil
end

sig do
params(
source: T.nilable(T::Hash[Symbol, String]),
source_checker: Dependabot::GitCommitChecker
).returns(T.nilable(String))
end
def updated_pinned_commit_sha_respecting_cooldown(source, source_checker)
cooled_down_version = latest_version
pinned_ref = source&.fetch(:ref)
return nil if cooled_down_version.is_a?(String) && cooled_down_version == pinned_ref

latest_commit_sha(source_checker)
end

sig { params(source_checker: Dependabot::GitCommitChecker).returns(T.nilable(String)) }
def latest_commit_sha(source_checker)
new_tag = T.must(latest_version_finder).latest_version_tag
Expand Down
20 changes: 20 additions & 0 deletions github_actions/spec/dependabot/github_actions/update_checker_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,26 @@
end
end
end

context "when pinned to an out of date commit in the default branch with cooldown enabled" do
let(:upload_pack_fixture) { "github-action-push-to-another-repository" }
let(:dependency_name) { "dependabot-fixtures/github-action-push-to-another-repository" }
let(:dependency_version) { nil }
let(:reference) { "f4b9c90516ad3bdcfdc6f4fcf8ba937d0bd40465" }
let(:update_cooldown) do
Dependabot::Package::ReleaseCooldownOptions.new(default_days: 90)
end

before do
allow(Time).to receive(:now).and_return(Time.parse("2022-09-07 23:33:35 +0100"))
allow(Dependabot::Experiments).to receive(:enabled?)
.with(:enable_shared_helpers_command_timeout).and_return(true)
end

it "does not suggest an update when the latest commit is within the cooldown window" do
expect(can_update).to be_falsey
end
end
end

describe "#latest_version" do
Expand Down
Loading