Only update comments that end with the version

If the version in a comment is followed by additional text, it could be documentation explaining some behavior, rather than a tag corresponding to the SHA in the action version. To be safe, don't update the version unless it's the end of the comment.
dependabot · Oct 31, 2022 · a459c88 · a459c88
1 parent 6a9b691
commit a459c88
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/github_actions/lib/dependabot/github_actions/file_updater.rb b/github_actions/lib/dependabot/github_actions/file_updater.rb
@@ -87,7 +87,9 @@ def updated_workflow_file_content(file)
 
       def updated_version_comment(comment, new_req)
         raise "No comment!" unless comment
+        comment = comment.rstrip
         return unless dependency.previous_version && dependency.version
+        return unless comment.end_with? dependency.previous_version
 
         git_checker = Dependabot::GitCommitChecker.new(dependency: dependency, credentials: credentials)
         return unless git_checker.ref_looks_like_commit_sha?(new_req.fetch(:source).fetch(:ref))

diff --git a/github_actions/spec/dependabot/github_actions/file_updater_spec.rb b/github_actions/spec/dependabot/github_actions/file_updater_spec.rb
@@ -375,7 +375,7 @@
         end
         it "updates version comment" do
           new_sha = dependency.requirements.first.dig(:source, :ref)
-          expect(subject.content).not_to match(/@#{new_sha}\s+#.*#{dependency.previous_version}/)
+          expect(subject.content).not_to match(/@#{new_sha}\s+#.*#{dependency.previous_version}\s*$/)
 
           expect(subject.content).to include "# v#{dependency.version}"
           expect(subject.content).to include "# #{dependency.version}"
@@ -387,6 +387,10 @@
           old_version = dependency.previous_requirements[1].dig(:source, :ref)
           expect(subject.content).not_to match(/@#{old_version}\s+#.*#{dependency.version}/)
         end
+        it "doesn't update version comments in the middle of sentences" do
+          expect(subject.content).to include "Versions older than v#{dependency.previous_version} have a security vulnerability"
+          expect(subject.content).not_to include "Versions older than v#{dependency.version} have a security vulnerability"
+        end
       end
     end
   end

diff --git a/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml b/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml
@@ -11,7 +11,20 @@ jobs:
     - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # tag=v2.1.0
     - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81  #   v2.1.0
     - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0
+    # The comment on the next line has a trailing tab. The version should still be updated.
+    - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0 
     - uses: actions/checkout@01aecc # v2.1.0
   integration:
     - uses: actions/[email protected] # comments that include the version (v2.1.0) shouldn't be updated for non-SHA refs
     - uses: actions/checkout@01aecc#v2.1.0 # this shouldn't be updated, because the version is part of the ref, not a comment.
+
+    # The version in the comment for the next action shouldn't be updated
+    # because it refers to past behavior.
+    - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # Versions older than v2.1.0 have a security vulnerability
+
+    # The versions in the comment for the next action won't be updated.
+    # The first version could be updated, but it's difficult to create
+    # a heuristic that recognizes the first version as a version alias
+    # for the SHA commit, and the second version as a concrete version
+    # that shouldn't change. For simplicity, we don't update either.
+    - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0 - Versions older than v2.1.0 have a security vulnerability