Skip to content

Commit

Permalink
fix exception when Action is pinned to a SHA with no tags (dependabot…
Browse files Browse the repository at this point in the history
  • Loading branch information
jakecoffman authored Dec 15, 2023
1 parent 5e4f2e5 commit 89ebc55
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 0 deletions.
2 changes: 2 additions & 0 deletions github_actions/lib/dependabot/github_actions/file_updater.rb
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ def updated_version_comment(comment, old_ref, new_ref)
return unless git_checker.ref_looks_like_commit_sha?(old_ref)

previous_version_tag = git_checker.most_specific_version_tag_for_sha(old_ref)
return unless previous_version_tag # There's no tag for this commit

previous_version = version_class.new(previous_version_tag).to_s
return unless comment.end_with? previous_version

Expand Down
11 changes: 11 additions & 0 deletions github_actions/spec/dependabot/github_actions/file_updater_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,17 @@
expect(subject.content).not_to include "Versions older than v#{dependency.version} have a security vulnerability"
# rubocop:enable Layout/LineLength
end

context "but the previous SHA is not tagged" do
before do
dependency.previous_requirements.first[:source][:ref] = "85b1f35505da871133b65f059e96210c65650a8b"
end

it "updates SHA version but not the comment" do
new_sha = dependency.requirements.first.dig(:source, :ref)
expect(subject.content).to match(/#{new_sha}['"]?\s+#.*#{dependency.previous_version}/)
end
end
end
end
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,7 @@ jobs:
# for the SHA commit, and the second version as a concrete version
# that shouldn't change. For simplicity, we don't update either.
- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0 - Versions older than v2.1.0 have a security vulnerability

# This is pinned to the version before v2.1.0, so the comment is incorrect.
# Rather than failing to update, it will just leave the comment as-is.
- uses: actions/checkout@85b1f35505da871133b65f059e96210c65650a8b # v2.1.0

0 comments on commit 89ebc55

Please sign in to comment.