fix(github_actions): use most specific version tag when updating comments

[jeffwidman]

Summary

When a pinned SHA has multiple version tags (e.g. v1, v1.0, v1.0.1), the version comment update logic in FileUpdater#updated_version_comment used .find to pick the first tag whose version string was a suffix of the comment. Because tags are sorted ascending by version, this could pick a short version like "1" that is a substring of the actual comment version "1.0.1". The subsequent gsub("1", "1.1") then mangled the entire comment:

• Before (bug): # v1.0.1 → # v1.1.0.1.1
• After (fix): # v1.0.1 → # v1.1

Root Cause

In updated_version_comment, the code:

previous_version = previous_version_tags.map { |tag| version_class.new(tag).to_s }
                                        .find { |version| comment.end_with? version }

With tags ["v1", "v1.0", "v1.0.1"], this maps to ["1", "1.0", "1.0.1"] and .find returns "1" because "v1.0.1".end_with?("1") is true. Then comment.gsub("1", "1.1") replaces every "1" in the comment.

Fix

Changed .find to .select { ... }.max_by(&:length) so the longest (most specific) matching version string is used. This correctly picks "1.0.1" over "1", and gsub("1.0.1", "1.1") produces the correct result.

Test

Added a test case that reproduces the exact scenario from cli/cli#12918 — multiple tags (v1, v1.0, v1.0.1) on the same SHA where a shorter version is a suffix of the version in the comment.

References

• Observed in: chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 cli/cli#12918

[Copilot]

Pull request overview

This PR fixes GitHub Actions workflow comment updates when a pinned SHA has multiple version tags, ensuring the version comment is updated using the most specific (longest) matching version string to avoid accidental partial replacements.

Changes:

• Update FileUpdater#updated_version_comment to select the longest matching prior version suffix rather than the first match.
• Add a regression spec covering the “shorter version is a suffix of the comment version” case.
• Add a new workflow fixture representing a pinned SHA with a # v1.0.1 comment.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
github_actions/lib/dependabot/github_actions/file_updater.rb	Chooses the longest matching prior version string to prevent gsub mangling (e.g., matching 1.0.1 instead of 1).
github_actions/spec/dependabot/github_actions/file_updater_spec.rb	Adds a regression test reproducing the substring-suffix failure mode with multiple tags on the same SHA.
github_actions/spec/fixtures/workflow_files/pinned_source_multiple_tags_substring_versions.yml	Adds a fixture workflow line with a pinned SHA and # v1.0.1 comment used by the new spec.