Merge pull request #7430 from dependabot/deivid-rodriguez/proper-pref…

…ix-match

Ignore tags not matching prefix, when workflow is pinned to SHAs

common/lib/dependabot/git_commit_checker.rb

@@ -40,7 +40,6 @@ def git_dependency?
     def pinned?
       raise "Not a git dependency!" unless git_dependency?
 
-      ref = dependency_source_details.fetch(:ref)
       branch = dependency_source_details.fetch(:branch)
 
       return false if ref.nil?
@@ -61,16 +60,14 @@ def pinned?
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      version_tag?(dependency_source_details.fetch(:ref))
+      version_tag?(ref)
     end
 
     def pinned_ref_looks_like_commit_sha?
-      ref = dependency_source_details.fetch(:ref)
       ref_looks_like_commit_sha?(ref)
     end
 
     def head_commit_for_pinned_ref
-      ref = dependency_source_details.fetch(:ref)
       local_repo_git_metadata_fetcher.head_commit_for_ref_sha(ref)
     end
 
@@ -144,15 +141,14 @@ def filter_lower_versions(tags)
     end
 
     def most_specific_tag_equivalent_to_pinned_ref
-      commit_sha = head_commit_for_local_branch(dependency_source_details.fetch(:ref))
+      commit_sha = head_commit_for_local_branch(ref)
       most_specific_version_tag_for_sha(commit_sha)
     end
 
     def local_tag_for_pinned_sha
-      return unless pinned_ref_looks_like_commit_sha?
+      return @local_tag_for_pinned_sha if defined?(@local_tag_for_pinned_sha)
 
-      commit_sha = dependency_source_details.fetch(:ref)
-      most_specific_version_tag_for_sha(commit_sha)
+      @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
     def git_repo_reachable?
@@ -223,7 +219,7 @@ def pinned_ref_in_release?(version)
       return false unless tag
 
       commit_included_in_tag?(
-        commit: dependency_source_details.fetch(:ref),
+        commit: ref,
         tag: tag,
         allow_identical: true
       )
@@ -327,19 +323,30 @@ def bitbucket_commit_comparison_status(ref1, ref2)
     end
 
     def ref_or_branch
-      dependency_source_details.fetch(:ref) ||
-        dependency_source_details.fetch(:branch)
+      ref || dependency_source_details.fetch(:branch)
+    end
+
+    def ref
+      dependency_source_details.fetch(:ref)
     end
 
     def version_tag?(tag)
       tag.match?(VERSION_REGEX)
     end
 
     def matches_existing_prefix?(tag)
-      return true unless ref_or_branch&.match?(VERSION_REGEX)
+      return true unless ref_or_branch
+
+      if version_tag?(ref_or_branch)
+        same_prefix?(ref_or_branch, tag)
+      else
+        local_tag_for_pinned_sha.nil? || same_prefix?(local_tag_for_pinned_sha, tag)
+      end
+    end
 
-      ref_or_branch.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
-        tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
+    def same_prefix?(tag, other_tag)
+      tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
+        other_tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
     def to_local_tag(tag)
@@ -417,7 +424,7 @@ def wants_prerelease?
       return false unless dependency_source_details&.fetch(:ref, nil)
       return false unless pinned_ref_looks_like_version?
 
-      version = version_from_ref(dependency_source_details.fetch(:ref))
+      version = version_from_ref(ref)
       version.prerelease?
     end
 

github_actions/spec/dependabot/github_actions/update_checker_spec.rb

@@ -385,6 +385,14 @@
 
         it { is_expected.to eq(Gem::Version.new("1.1.0")) }
       end
+
+      context "and there's a higher version tag, but one not matching the existing tag format" do
+        let(:upload_pack_fixture) { "codeql" }
+        let(:v2_3_6_tag_sha) { "83f0fe6c4988d98a455712a27f0255212bba9bd4" }
+        let(:reference) { v2_3_6_tag_sha }
+
+        it { is_expected.to eq(Gem::Version.new("2.3.6")) }
+      end
     end
 
     context "given a dependency with multiple git refs" do