feat: add cooldown filter for github_actions using existing git_commit_checker and available_latest_version_tag#14621
Merged
Conversation
v-HaripriyaC
changed the title
v-HaripriyaC
force-pushed
the
chp/cooldown-filter-fix
branch
from
dfcd717 to
ea8df2a
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes GitHub Actions cooldown behavior so that when the newest tag is within the cooldown window, Dependabot can still select the newest older allowed tag that is outside the cooldown window (instead of returning “no viable filtered release”).
Changes:
- Add tag→release-date retrieval to evaluate cooldown across all allowed version tags.
- Rework
cooldown_filterto select the newest allowed tag not in cooldown, based on a computed “in cooldown” set. - Add/adjust specs for cooldown date parsing and tag selection logic.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
github_actions/lib/dependabot/github_actions/update_checker/latest_version_finder.rb |
Reworks cooldown filtering to consider all allowed tags and adds helper methods/constants for date handling. |
github_actions/lib/dependabot/github_actions/package/package_details_fetcher.rb |
Introduces tag+release-date fetching and combines release dates with allowed version tags. |
github_actions/spec/dependabot/github_actions/update_checker/latest_version_finder_spec.rb |
Adds unit coverage for new cooldown helper methods and tag selection. |
github_actions/spec/dependabot/github_actions/update_checker_spec.rb |
Updates cooldown-related scenarios to account for new git-based release-date lookups. |
github_actions/spec/dependabot/github_actions/package/package_details_fetcher_spec.rb |
Adds spec coverage for fetch_tag_and_release_date. |
thavaahariharangit
requested changes
Apr 7, 2026
Closed
1 task
thavaahariharangit
requested changes
Apr 8, 2026
Contributor
There was a problem hiding this comment.
I’m asking you to run the CLI against the workflow to confirm that everything works as expected. RSpec only validates functionality at the unit level, As most of the APIs and layers are mocked. So please perform an end‑to‑end test as well.
That's why I gave the workflow, to run dependabot cli and confirm the expected results
https://github.com/Homebrew/homebrew-brew-vulns/actions/runs/23637238472/job/68849057678
Contributor
|
This update is working as expected. But copilot comments needs to be addressed Before this update: After this update: |
Contributor
thavaahariharangit
left a comment
thavaahariharangit
left a comment
There was a problem hiding this comment.
Took a pass through the changes. The fix itself works — cooldown filtering now properly walks tags and falls back to older versions, which is a real improvement. Left some inline comments, mostly about duplication and divergence from shared patterns.
thavaahariharangit
approved these changes
Apr 9, 2026
This implements the fix for #14579 where the cooldown filter only checked the latest release, blocking all updates for frequently-released dependencies. Key improvements: - Fetch all allowed version tags with release dates in single git clone - Evaluate cooldown across all allowed versions - Return newest version outside cooldown window instead of 'no viable release' - Use shared CooldownCalculation.within_cooldown_window? for consistency - Proper error handling with appropriate logging levels - Type-safe with Sorbet signatures Fixed issues from code review: - Consolidated duplicate allowed_version_tags_with_release_dates logic - Use shared CooldownCalculation utility (not hand-rolled) - Removed unused excon dependency - Fixed RuboCop line length violations - Fixed logger.error usage in error paths
v-HaripriyaC
force-pushed
the
chp/cooldown-filter-fix
branch
from
9776317 to
b6d2463
Compare
1 task
1 task
1 task
5 tasks
1 task
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Fixes #14579 — The GitHub Actions cooldown filter was only evaluating the single latest release against the cooldown window. If that latest release fell within the cooldown period, Dependabot immediately returned "no viable filtered release" and proposed no update at all — even when multiple older releases existed that were well past the cooldown window.
This effectively made cooldown a permanent blocker for frequently-released dependencies (e.g.
ruby/setup-ruby,renovatebot/github-action), which is clearly not the intended behavior.Before (broken behavior):
Versions
1.289.0–1.297.0were all over 7 days old and should have been proposed, but were never evaluated.After (fixed behavior):
Dependabot fetches the release dates for all allowed version tags, builds a set of tags that are within the cooldown window, and checks whether the proposed release tag is in that set. Tags outside the cooldown window remain valid candidates for update.
What changed?
package_details_fetcher.rb: Addedfetch_tag_and_release_date(public) andfetch_release_date_for_tag(private). These usegit clone --bare+git show --format="%cd"to retrieve the commit date for each allowed version tag —with existing methods git_commit_checker and available_latest_version_tag via git-native repository.latest_version_finder.rb:commit_metadata_details+release_in_cooldown_period?flow incooldown_filterwith a newselect_version_tags_in_cooldown_periodmethod that evaluates all allowed version tags.check_if_version_in_cooldown_period?andrelease_date_to_secondsas testable, isolated helpers.DAY_IN_SECONDSconstant (previously referenced but defined elsewhere).Tests: Added specs for
fetch_tag_and_release_date,check_if_version_in_cooldown_period?,release_date_to_seconds, andselect_version_tags_in_cooldown_period, covering nil/empty/invalid date inputs, missing cooldown options, and error recovery.Anything you want to highlight for special attention from reviewers?
fetch_release_date_for_tagmethod currently runs a fullgit clone --bareper tag. For repos with a large number of allowed version tags this could be slow. A follow-up optimization to clone once and run allgit showcommands within that single bare clone would be worthwhile, but is out of scope for this fix.release_in_cooldown_period?included acooldown.included?(dependency.name)guard. This has been removed in the newcheck_if_version_in_cooldown_period?. Please confirm whether per-dependency inclusion scoping needs to be preserved here.How will you know you've accomplished your goal?
select_version_tags_in_cooldown_periodandcheck_if_version_in_cooldown_period?pass.cooldown: default-days: 7and a latest release < 7 days old will now be updated to the most recent release that is ≥ 7 days old, rather than receiving "no viable filtered release."ruby/setup-rubypinned at1.288.0, run when1.298.0is 0 days old — Dependabot should now propose updating to1.297.0(or whichever is the newest release outside the cooldown window).Checklist