From 89ebc55dac8630574301a10917425f80a56e4763 Mon Sep 17 00:00:00 2001 From: Jake Coffman Date: Fri, 15 Dec 2023 14:42:18 -0600 Subject: [PATCH] fix exception when Action is pinned to a SHA with no tags (#8621) --- .../lib/dependabot/github_actions/file_updater.rb | 2 ++ .../dependabot/github_actions/file_updater_spec.rb | 11 +++++++++++ .../pinned_sources_version_comments.yml | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/github_actions/lib/dependabot/github_actions/file_updater.rb b/github_actions/lib/dependabot/github_actions/file_updater.rb index 047b3adf97e..f89107e1a5f 100644 --- a/github_actions/lib/dependabot/github_actions/file_updater.rb +++ b/github_actions/lib/dependabot/github_actions/file_updater.rb @@ -100,6 +100,8 @@ def updated_version_comment(comment, old_ref, new_ref) return unless git_checker.ref_looks_like_commit_sha?(old_ref) previous_version_tag = git_checker.most_specific_version_tag_for_sha(old_ref) + return unless previous_version_tag # There's no tag for this commit + previous_version = version_class.new(previous_version_tag).to_s return unless comment.end_with? previous_version diff --git a/github_actions/spec/dependabot/github_actions/file_updater_spec.rb b/github_actions/spec/dependabot/github_actions/file_updater_spec.rb index 43dbbc8ba7b..93b86128a54 100644 --- a/github_actions/spec/dependabot/github_actions/file_updater_spec.rb +++ b/github_actions/spec/dependabot/github_actions/file_updater_spec.rb @@ -407,6 +407,17 @@ expect(subject.content).not_to include "Versions older than v#{dependency.version} have a security vulnerability" # rubocop:enable Layout/LineLength end + + context "but the previous SHA is not tagged" do + before do + dependency.previous_requirements.first[:source][:ref] = "85b1f35505da871133b65f059e96210c65650a8b" + end + + it "updates SHA version but not the comment" do + new_sha = dependency.requirements.first.dig(:source, :ref) + expect(subject.content).to match(/#{new_sha}['"]?\s+#.*#{dependency.previous_version}/) + end + end end end end diff --git a/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml b/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml index a1b7f3f876a..26e2fc6546a 100644 --- a/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml +++ b/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml @@ -29,3 +29,7 @@ jobs: # for the SHA commit, and the second version as a concrete version # that shouldn't change. For simplicity, we don't update either. - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0 - Versions older than v2.1.0 have a security vulnerability + + # This is pinned to the version before v2.1.0, so the comment is incorrect. + # Rather than failing to update, it will just leave the comment as-is. + - uses: actions/checkout@85b1f35505da871133b65f059e96210c65650a8b # v2.1.0