Gate digest suppression on comparable tags only

Non-comparable tags (e.g., 'latest', distro codenames like 'artful')
should still receive digest updates since they cannot be version-compared.
Only versioned/comparable tags get digest-only suppression.

Adds test for non-comparable tag+digest pin scenario.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 2 people

docker/lib/dependabot/docker/update_checker.rb

@@ -217,7 +217,10 @@ def digest_up_to_date?
               # When digest-only updates are suppressed and the tag hasn't changed,
               # treat the digest as up-to-date to avoid proposing a PR that only
               # bumps the digest without a corresponding version change.
+              # Only apply to comparable (versioned) tags — non-comparable tags like
+              # "latest" or distro codenames should still get digest updates.
               if Dependabot::Experiments.enabled?(:docker_digest_only_update_suppression) &&
+                 Tag.new(source_tag).comparable? &&
                  latest_tag.name == source_tag
                 next true
               end

docker/spec/dependabot/docker/update_checker_spec.rb

@@ -3310,6 +3310,25 @@ def stub_tag_with_no_digest(tag)
           expect(digest_up_to_date?).to be false
         end
       end
+
+      context "when the tag is non-comparable (e.g., 'latest' or distro codename) with digest" do
+        let(:version) { "artful" }
+        let(:source) do
+          {
+            tag: "artful",
+            digest: "old_digest_that_differs_from_registry"
+          }
+        end
+
+        before do
+          stub_request(:head, repo_url + "manifests/artful")
+            .and_return(status: 200, headers: JSON.parse(headers_response))
+        end
+
+        it "still detects digest changes (suppression only applies to versioned tags)" do
+          expect(digest_up_to_date?).to be false
+        end
+      end
     end
 
     context "when experiment is disabled" do