Actions: improve semver support

[thepwagner]

This improves the handling of GitHub Actions workflow files when the Action is fetched from a GitHub repository using semver-compatible tags, as suggested by Actions' best practices.

Our goal is to increase the likelihood that Depedendency#version in the github_actions package manager is a valid semver tag. That is what allows the update types feature to derive relative versions.

Changes focus on the FileParser:

• If the Action's referenced version is a semver string (e.g. uses: actions/checkout@v2.3.3, consider that the Dependency.version == "2.3.3"
• If the Action's referenced version is a pinned commit (e.g. uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675, AND that commit corresponds to a valid semver tag, consider the tag to be Dependency.version == "2.3.3".
  Preferring full length commit SHA is another GitHub best practice that Dependabot should expect and encourage.

Pinned to a sha

Pre:

=== actions/checkout ()
 => checking for updates 1/1
 => latest available version is 2.3.4
 => latest allowed version is 2.3.4
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout to 2.3.4

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@aabbfeb2ce60b5bd82389903509092c4648a9713
    ---
    >     - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
    ~~~

Post:

=== actions/checkout (2.2.0)
 => checking for updates 1/1
 => latest available version is 2.3.4
 => latest allowed version is 2.3.4
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout from 2.2.0 to 2.3.4

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@aabbfeb2ce60b5bd82389903509092c4648a9713
    ---
    >     - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
    ~~~

Pinned to version

Pre:

=== actions/checkout ()
 => checking for updates 1/1
 => latest available version is 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
 => latest allowed version is 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout to 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@v2.2.0
    ---
    >     - uses: actions/checkout@v2.3.4
    ~~~

Post:

=== actions/checkout (2.2.0)
 => checking for updates 1/1
 => latest available version is 2.3.4
 => latest allowed version is 2.3.4
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout from 2.2.0 to 2.3.4

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@v2.2.0
    ---
    >     - uses: actions/checkout@v2.3.4
    ~~~

[thepwagner]

Just a checkpoint as it's EOD for me, feedback welcome!

[thepwagner]

This is performance: pinned? "does things" - but a regexp check is local and free!

[thepwagner]

A neat side effect of this change, Actions pinned to a commit SHA get a more clear PR title:

• Pre: Bump actions/checkout from aabbfeb2ce60b5bd82389903509092c4648a9713 to 2.3.4
• Post: Bump actions/checkout from 2.2.0 to 2.3.4

[thepwagner]

Why is this the same as Dependabot::GithubActions::Version now?

In the tests for local_tag_for_pinned_version, I'm using a git-upload-pack captured from actions/cache https://github.com/actions/checkout/tags

Having the active version_class (which in that test - is DummyPackageManager::Version) understand those tags was the path of least resistance.
Alternatively I could setup and capture a cleaner fixture - I liked the idea of the test case being "real".

[mctofu]

I'm not very familiar with this updater but the changes make sense to me!

Since we strip the "v" when populating the dependency version the relative ignore conditions should also start working without any other changes?

[thepwagner]

Since we strip the "v" when populating the dependency version the relative ignore conditions should also start working without any other changes?

Yep, exactly!

[dependabot-core-dev] ~/dependabot-core $ bin/dry-run.rb github_actions thepwagner/dependabot-test-actions
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/thepwagner/dependabot-test-actions/
=> parsing dependency files
=> updating 1 dependencies: actions/checkout

=== actions/checkout (2.1.0)
 => checking for updates 1/1
 => latest available version is 2.3.4
 => latest allowed version is 2.3.4
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout from 2.1.0 to 2.3.4

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81
    ---
    >     - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
    ~~~

[dependabot-core-dev] ~/dependabot-core $ IGNORE_CONDITIONS='[{"dependency-name":"actions/checkout","update-types":["version-update:semver-minor"]}]' bin/dry-run.rb github_actions thepwagner/dependabot-test-actions
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/thepwagner/dependabot-test-actions/
=> parsing dependency files
=> updating 1 dependencies: actions/checkout

=== actions/checkout (2.1.0)
 => checking for updates 1/1
 => latest available version is 2.1.1
 => latest allowed version is 2.1.1
 => requirements to unlock: own
 => requirements update strategy:
 => updating actions/checkout from 2.1.0 to 2.1.1

    ± .github/workflows/pinned.yaml
    ~~~
    7c7
    <     - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81
    ---
    >     - uses: actions/checkout@86f86b36ef15e6570752e7175f451a512eac206b
    ~~~

[aaronfranke]

@thepwagner @mctofu Could this PR have caused #3704?