dependabot
diff --git a/‎github_actions/lib/dependabot/github_actions/package/package_details_fetcher.rb‎
Lines changed: 50 additions & 0 deletions b/‎github_actions/lib/dependabot/github_actions/package/package_details_fetcher.rb‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎github_actions/lib/dependabot/github_actions/update_checker/latest_version_finder.rb‎
Lines changed: 68 additions & 21 deletions b/‎github_actions/lib/dependabot/github_actions/update_checker/latest_version_finder.rb‎
Lines changed: 68 additions & 21 deletions
diff --git a/‎github_actions/spec/dependabot/github_actions/package/package_details_fetcher_spec.rb‎
Lines changed: 107 additions & 0 deletions b/‎github_actions/spec/dependabot/github_actions/package/package_details_fetcher_spec.rb‎
Lines changed: 107 additions & 0 deletions
@@ -8,6 +8,7 @@
 require "time"
 
 require "dependabot/errors"
+require "dependabot/git_tag_with_detail"
 require "dependabot/github_actions/helpers"
 require "dependabot/github_actions/requirement"
 require "dependabot/github_actions/update_checker"
@@ -16,6 +17,7 @@
 require "dependabot/package/package_release"
 require "dependabot/registry_client"
 require "dependabot/shared_helpers"
+require "dependabot/source"
 
 module Dependabot
   module GithubActions
@@ -127,6 +129,54 @@ def latest_version_tag
           )
         end
 
+        sig { returns(T::Array[Dependabot::GitTagWithDetail]) }
+        def fetch_tag_and_release_date
+          allowed_version_tags = git_commit_checker.allowed_version_tags
+          allowed_tag_names = Set.new(allowed_version_tags.map(&:name))
+
+          # Use the shared GitCommitChecker#refs_for_tag_with_detail to fetch all tags
+          # with release dates in a single clone (instead of one clone per tag)
+          all_refs_with_detail = git_commit_checker.refs_for_tag_with_detail
+
+          result = all_refs_with_detail.select do |ref|
+            allowed_tag_names.include?(ref.tag)
+          end
+
+          # Log an error if we couldn't fetch any release dates
+          if result.empty? && allowed_version_tags.any?
+            Dependabot.logger.error("Error fetching tag and release date: unable to fetch for allowed tags")
+          end
+
+          result
+        rescue StandardError => e
+          Dependabot.logger.error("Error fetching tag and release date: #{e.message}")
+          []
+        end
+
+        sig do
+          returns(T::Array[T::Hash[Symbol, T.untyped]])
+        end
+        def allowed_version_tags_with_release_dates
+          allowed_version_tags_hashes = git_commit_checker.local_tags_for_allowed_versions
+          tag_to_release_date = T.let({}, T::Hash[String, T.nilable(String)])
+
+          # Build a map of tag names to release dates for quick lookup
+          fetch_tag_and_release_date.each do |git_tag_with_detail|
+            tag_to_release_date[git_tag_with_detail.tag] = git_tag_with_detail.release_date
+          end
+
+          # Combine version info with release dates and sort by version descending
+          result = allowed_version_tags_hashes.map do |tag_hash|
+            tag_name = tag_hash.fetch(:tag)
+            tag_hash.merge(
+              release_date: tag_to_release_date[tag_name]
+            )
+          end
+
+          # Sort by version descending (newest first)
+          result.sort_by { |tag_hash| tag_hash.fetch(:version) }.reverse
+        end
+
         private
 
         sig { returns(Dependabot::GitCommitChecker) }
 
@@ -1,7 +1,6 @@
 # typed: strict
 # frozen_string_literal: true
 
-require "excon"
 require "sorbet-runtime"
 
 require "dependabot/errors"
@@ -107,7 +106,7 @@ def latest_version_tag
 
         sig { returns(T.nilable(Dependabot::GithubActions::Package::PackageDetailsFetcher)) }
         def package_details_fetcher
-          @package_details_fetcher = T.let(
+          @package_details_fetcher ||= T.let(
             Dependabot::GithubActions::Package::PackageDetailsFetcher
                         .new(
                           dependency: dependency,
@@ -158,19 +157,58 @@ def cooldown_filter(release)
           return release unless cooldown_options
 
           Dependabot.logger.info("Initializing cooldown filter")
-          release_date = commit_metadata_details
 
-          unless release_date
-            Dependabot.logger.info("No release date found, skipping cooldown filtering")
-            return release
-          end
+          # If the proposed release is a commit SHA (String), check its date against cooldown
+          if release.is_a?(String)
+            Dependabot.logger.info("Checking cooldown for commit SHA: #{release}")
+            return release unless check_if_version_in_cooldown_period?(commit_metadata_details)
 
-          if release_in_cooldown_period?(Time.parse(release_date))
-            Dependabot.logger.info("Filtered out (cooldown) #{dependency.name}, #{release}")
+            # Proposed SHA is in cooldown; for a SHA-based proposal, return nil (don't fall back to tags)
+            Dependabot.logger.info("Proposed commit SHA is in cooldown, returning nil")
             return nil
           end
 
-          release
+          # For version tag proposals, fetch all allowed versions with release dates (single clone)
+          # This reuses a single GitCommitChecker instance within package_details_fetcher
+          allowed_versions_with_dates = T.must(package_details_fetcher).allowed_version_tags_with_release_dates
+          tags_in_cooldown = Set.new(select_version_tags_in_cooldown_period(allowed_versions_with_dates))
+          return release if tags_in_cooldown.empty?
+
+          # Walk through all allowed version tags in descending order (newest first)
+          # and return the first one NOT in cooldown
+          allowed_versions_with_dates.each do |tag_info|
+            tag_name = tag_info.fetch(:tag)
+            next if tags_in_cooldown.include?(tag_name)
+
+            # Found a version not in cooldown, return it
+            version = tag_info.fetch(:version)
+            Dependabot.logger.info("Found acceptable version outside cooldown: #{version}")
+            return version
+          end
+
+          # All versions are in cooldown, return nil to fallback to current version
+          Dependabot.logger.info("All versions are in cooldown period, returning current version")
+          nil
+        end
+
+        sig do
+          params(
+            tags_with_dates: T.nilable(
+              T.any(T::Array[Dependabot::GitTagWithDetail], T::Array[T::Hash[Symbol, T.untyped]])
+            )
+          ).returns(T::Array[String])
+        end
+        def select_version_tags_in_cooldown_period(tags_with_dates = nil)
+          tags_to_check = tags_with_dates || T.must(package_details_fetcher).fetch_tag_and_release_date
+          # Handle both GitTagWithDetail objects and hashes with release_date
+          in_cooldown = tags_to_check.select do |tag|
+            release_date = tag.is_a?(Hash) ? tag.fetch(:release_date, nil) : tag.release_date
+            check_if_version_in_cooldown_period?(release_date)
+          end
+          in_cooldown.map { |tag| tag.is_a?(Hash) ? tag.fetch(:tag) : tag.tag }
+        rescue StandardError => e
+          Dependabot.logger.error("Error checking if version is in cooldown (using empty filter): #{e.message}")
+          []
         end
 
         sig { returns(T.nilable(String)) }
@@ -194,30 +232,39 @@ def commit_metadata_details
                 end
               end
             rescue StandardError => e
-              Dependabot.logger.error("Error (github actions) while checking release date for #{dependency.name}")
-              Dependabot.logger.error(e.message)
+              msg = "Error (github actions) while checking release date for #{dependency.name}: #{e.message}"
+              Dependabot.logger.warn(msg)
 
               nil
             end,
             T.nilable(String)
           )
         end
 
-        sig { params(release_date: Time).returns(T::Boolean) }
-        def release_in_cooldown_period?(release_date)
-          cooldown = @cooldown_options
+        sig { params(release_date: T.nilable(String)).returns(T::Boolean) }
+        def check_if_version_in_cooldown_period?(release_date)
+          return false unless release_date&.length&.positive?
+          return false unless cooldown_options
+          return false unless T.must(cooldown_options).included?(dependency.name)
 
-          return false unless T.must(cooldown).included?(dependency.name)
+          release_time = Time.parse(T.must(release_date))
+          cooldown_days = T.must(cooldown_options).default_days
 
-          days = T.must(cooldown).default_days
+          is_in_cooldown = Dependabot::UpdateCheckers::CooldownCalculation.within_cooldown_window?(
+            release_time,
+            cooldown_days
+          )
 
+          passed_seconds = Time.now.to_i - release_time.to_i
+          days_since = passed_seconds / Dependabot::UpdateCheckers::CooldownCalculation::DAY_IN_SECONDS
           Dependabot.logger.info(
-            "Days since release : #{(Time.now.to_i - release_date.to_i) / (24 * 60 * 60)} " \
-            "(cooldown days #{days})"
+            "Days since release : #{days_since} (cooldown days #{cooldown_days})"
           )
 
-          Dependabot::UpdateCheckers::CooldownCalculation
-            .within_cooldown_window?(release_date, days)
+          is_in_cooldown
+        rescue StandardError => e
+          Dependabot.logger.debug("Error parsing release date: #{e.message}")
+          false
         end
 
         sig { returns(String) }
 
@@ -252,4 +252,111 @@
       end
     end
   end
+
+  describe "#fetch_tag_and_release_date" do
+    subject(:fetch_tag_and_release_date) { fetcher.fetch_tag_and_release_date }
+
+    let(:upload_pack_fixture) { "setup-node" }
+    let(:git_tag_with_details) do
+      [
+        Dependabot::GitTagWithDetail.new(tag: "v1.0.0", release_date: "2024-01-01T00:00:00Z"),
+        Dependabot::GitTagWithDetail.new(tag: "v2.0.0", release_date: "2024-02-01T00:00:00Z"),
+        Dependabot::GitTagWithDetail.new(tag: "v3.0.0", release_date: "2024-03-01T00:00:00Z")
+      ]
+    end
+
+    before do
+      # Stub git_commit_checker to return mock tags with release dates
+      mock_checker = instance_double(Dependabot::GitCommitChecker)
+
+      # Also stub allowed_version_tags to include all our test tags
+      allow(mock_checker).to receive_messages(
+        refs_for_tag_with_detail: git_tag_with_details,
+        allowed_version_tags: git_tag_with_details.map { |tag|
+          double(name: tag.tag)
+        }
+      )
+      allow(fetcher).to receive(:git_commit_checker).and_return(mock_checker)
+    end
+
+    it "returns array of GitTagWithDetail objects" do
+      expect(fetch_tag_and_release_date).to be_an(Array)
+      expect(fetch_tag_and_release_date.first).to be_a(Dependabot::GitTagWithDetail)
+    end
+
+    it "includes tag and release_date attributes with correct values" do
+      results = fetch_tag_and_release_date
+      expect(results).to(
+        all(
+          have_attributes(
+            tag: an_instance_of(String),
+            release_date: an_instance_of(String)
+          )
+        )
+      )
+      # Assert specific tag values
+      tags = results.map(&:tag).sort
+      expect(tags).to include("v1.0.0", "v2.0.0", "v3.0.0")
+    end
+
+    it "filters to only allowed version tags" do
+      results = fetch_tag_and_release_date
+      expect(results.map(&:tag)).not_to be_empty
+      # All returned tags should be in the git_tag_with_details
+      expected_tags = git_tag_with_details.map(&:tag)
+      actual_tags = results.map(&:tag)
+      expect(actual_tags).to match_array(expected_tags)
+    end
+
+    it "preserves release dates for each tag" do
+      results = fetch_tag_and_release_date
+      tag_date_map = results.to_h { |item| [item.tag, item.release_date] }
+
+      git_tag_with_details.each do |git_tag|
+        expect(tag_date_map[git_tag.tag]).to eq(git_tag.release_date)
+      end
+    end
+
+    context "when git_commit_checker.refs_for_tag_with_detail fails" do
+      before do
+        mock_checker = instance_double(Dependabot::GitCommitChecker)
+        allow(mock_checker).to receive(:allowed_version_tags).and_return([double(name: "v1.0.0")])
+        allow(mock_checker).to receive(:refs_for_tag_with_detail)
+          .and_raise(StandardError, "git error")
+        allow(fetcher).to receive(:git_commit_checker).and_return(mock_checker)
+      end
+
+      it "handles error gracefully and returns empty array" do
+        expect(fetch_tag_and_release_date).to eq([])
+      end
+
+      it "logs the error" do
+        expect(Dependabot.logger).to receive(:error).with(/Error fetching tag and release date/)
+        fetch_tag_and_release_date
+      end
+    end
+
+    context "when no tags match allowed versions" do
+      before do
+        mock_checker = instance_double(Dependabot::GitCommitChecker)
+        allow(mock_checker).to receive_messages(
+          refs_for_tag_with_detail: [
+            Dependabot::GitTagWithDetail.new(tag: "v999.0.0", release_date: "2099-01-01T00:00:00Z")
+          ],
+          allowed_version_tags: [double(name: "v1.0.0")]
+        )
+        allow(fetcher).to receive(:git_commit_checker).and_return(mock_checker)
+      end
+
+      it "returns empty array when no tags match allowed versions" do
+        expect(fetch_tag_and_release_date).to eq([])
+      end
+
+      it "logs error when no release dates found for allowed tags" do
+        expect(Dependabot.logger).to receive(:error)
+          .with(/Error fetching tag and release date: unable to fetch for allowed tags/)
+        fetch_tag_and_release_date
+      end
+    end
+  end
 end