Fix updating GitHub Actions with mixed versions

dependabot · Dec 28, 2022 · bac23a3 · bac23a3
1 parent 06702c8
commit bac23a3
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 14 deletions.
diff --git a/common/lib/dependabot/file_parsers/base/dependency_set.rb b/common/lib/dependabot/file_parsers/base/dependency_set.rb
@@ -117,19 +117,10 @@ def <<(dep)
 
           # Produces a new dependency by merging the attributes of `old_dep` with those of
           # `new_dep`. Requirements and subdependency metadata will be combined and deduped.
-          # The version of the combined dependency is determined by the logic below.
+          # The version of the combined dependency is determined by the
+          # `#combined_version` method below.
           def combined_dependency(old_dep, new_dep)
-            version = if old_dep.top_level? # Prefer a direct dependency over a transitive one
-                        old_dep.version || new_dep.version
-                      elsif !version_class.correct?(new_dep.version)
-                        old_dep.version
-                      elsif !version_class.correct?(old_dep.version)
-                        new_dep.version
-                      elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
-                        old_dep.version
-                      else
-                        new_dep.version
-                      end
+            version = combined_version(old_dep, new_dep)
             requirements = (old_dep.requirements + new_dep.requirements).uniq
             subdependency_metadata = (
               (old_dep.subdependency_metadata || []) +
@@ -145,6 +136,22 @@ def combined_dependency(old_dep, new_dep)
             )
           end
 
+          def combined_version(old_dep, new_dep)
+            if old_dep.version.nil? ^ new_dep.version.nil?
+              [old_dep, new_dep].find(&:version).version
+            elsif old_dep.top_level? ^ new_dep.top_level? # Prefer a direct dependency over a transitive one
+              [old_dep, new_dep].find(&:top_level?).version
+            elsif !version_class.correct?(new_dep.version)
+              old_dep.version
+            elsif !version_class.correct?(old_dep.version)
+              new_dep.version
+            elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
+              old_dep.version
+            else
+              new_dep.version
+            end
+          end
+
           def version_class
             @version_class ||= Utils.version_class_for_package_manager(@combined.package_manager)
           end

diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb
@@ -33,10 +33,9 @@ def lowest_resolvable_security_fix_version
         lowest_security_fix_version
       end
 
-      def updated_requirements # rubocop:disable Metrics/PerceivedComplexity
+      def updated_requirements
         previous = dependency_source_details
         updated = updated_source
-        return dependency.requirements if updated == previous
 
         # Maintain a short git hash only if it matches the latest
         if previous[:type] == "git" &&