fix(github_actions): align SHA updates with cooldown-filtered latest version (#15078)

thavaahariharangit · web-flow · commit aa7e0894e9de · 2026-05-21T08:27:14.000+01:00
diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -175,7 +175,9 @@ def latest_commit_sha(source_checker)
           new_tag = T.must(latest_version_finder).latest_version_tag_respecting_cooldown
           new_tag&.fetch(:commit_sha)
         else
-          latest_commit_for_pinned_ref
+          # Keep SHA rewrites aligned with the checker decision (including cooldown filtering).
+          latest = latest_version
+          latest.is_a?(String) ? latest : latest_commit_for_pinned_ref
         end
       end
 
diff --git a/github_actions/spec/dependabot/github_actions/update_checker_spec.rb b/github_actions/spec/dependabot/github_actions/update_checker_spec.rb
@@ -742,13 +742,15 @@
     end
     let(:local_tag_for_pinned_sha) { false }
     let(:latest_version_tag) { nil }
+    let(:latest_version) { nil }
 
     before do
       allow(checker).to receive_messages(
         latest_version_finder: instance_double(
           Dependabot::GithubActions::UpdateChecker::LatestVersionFinder,
           latest_version_tag: latest_version_tag
         ),
+        latest_version: latest_version,
         latest_commit_for_pinned_ref: "branch-head-sha"
       )
     end
@@ -763,9 +765,10 @@
       let(:latest_version_tag) do
         { tag: "v2.7.0", commit_sha: "ee0669bd1cc54295c223e0bb666b733df41de1c5" }
       end
+      let(:latest_version) { "cooldown-filtered-sha" }
 
-      it "falls back to branch head commit behavior" do
-        expect(checker.send(:latest_commit_sha, source_checker)).to eq("branch-head-sha")
+      it "uses the checker latest_version SHA to keep updates aligned" do
+        expect(checker.send(:latest_commit_sha, source_checker)).to eq("cooldown-filtered-sha")
       end
     end
   end
