fix(github_actions): align SHA updates with cooldown-filtered latest version

[thavaahariharangit]

What are you trying to accomplish?

I worked on a fix for issue #14998 and reproduced the problem in this workflow run:
github-action-cooldown-14998 workflow run

After cooldown filtering, Dependabot correctly identifies the current SHA as the latest allowed version:

updater | 2026/05/20 08:12:26 INFO <job_1376180526> Found release date : 2026-05-09 02:20:17 +0200
updater | 2026/05/20 08:12:26 INFO <job_1376180526> Days since release : 11 (cooldown days 21)
2026/05/20 08:12:26 INFO <job_1376180526> Proposed commit SHA is in cooldown, returning nil
updater | 2026/05/20 08:12:26 INFO <job_1376180526> Returning current version/ref (no viable filtered release) 1eb2ef646ac0255473d23a5907ad7b04ce94065c
updater | 2026/05/20 08:12:26 INFO <job_1376180526> Latest version is 1eb2ef646ac0255473d23a5907ad7b04ce94065c

However, the pull request summary still reports an update to the cooled-down SHA instead of the filtered result:

updater | 2026/05/20 08:12:30 INFO Results:
+------------------------------------------------------------------------------------------------------------------------------+
|                                             Changes to Dependabot Pull Requests                                              |
+---------+--------------------------------------------------------------------------------------------------------------------+
| created | cachix/cachix-action ( from 1eb2ef646ac0255473d23a5907ad7b04ce94065c to 5f2d7c5294214f71b873db4b969586b980625e71 ) |
+---------+--------------------------------------------------------------------------------------------------------------------+

In short, cooldown filtering is applied when determining latest_version but the update summary is still built from the unfiltered SHA.

Anything you want to highlight for special attention from reviewers?

Cooldown filtering already applied to latest_version, but SHA-based ref rewriting could still use the unfiltered branch head. This change keeps both paths aligned so the reported update matches the actual cooled-down result.

How will you know you've accomplished your goal?

After this change, the run produced no update when the candidate SHA is filtered out by cooldown. I verified that behavior in a dependabot cli run against above workflow that we reproduced this issue, where Dependabot correctly reports that there is nothing to update:

updater | 2026/05/20 09:16:32 INFO Nothing to update for Dependency Group: 'github-actions'
updater | 2026/05/20 09:16:32 INFO Found no dependencies to update after filtering allowed updates in /
  proxy | 2026/05/20 09:16:32 [033] PATCH http://host.docker.internal:36141/update_jobs/cli/mark_as_processed
{"data":{"base-commit-sha":"fcbac855ffc0ff6b1a60d46bb400c1b4e18a9f4d"},"type":"mark_as_processed"}
  proxy | 2026/05/20 09:16:32 [033] 200 http://host.docker.internal:36141/update_jobs/cli/mark_as_processed
updater | 2026/05/20 09:16:32 INFO Finished job processing
  proxy | 2026/05/20 09:16:32 6/15 calls cached (40%)
  proxy | 2026/05/20 09:16:32 Skipping sending metrics because api endpoint is empty

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Fixes the github-actions update flow so SHA-based ref rewrites use the same cooldown-filtered decision as latest_version, preventing Dependabot from reporting (and attempting) updates to SHAs that are filtered out by cooldown rules.

Changes:

• Update latest_commit_sha to prefer latest_version when it’s a SHA String (so cooldown-filtered SHAs are respected).
• Add/adjust spec coverage to assert SHA alignment with latest_version rather than falling back to branch head behavior.

Show a summary per file

File	Description
github_actions/lib/dependabot/github_actions/update_checker.rb	Aligns SHA rewrite selection with cooldown-filtered latest_version to avoid reporting updates to cooled-down SHAs.
github_actions/spec/dependabot/github_actions/update_checker_spec.rb	Updates the #latest_commit_sha spec to validate the new alignment behavior using a cooldown-filtered SHA.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0