Never change version precision of actions chosen by users

github_actions/lib/dependabot/github_actions/update_checker.rb

@@ -98,25 +98,15 @@ def latest_version_tag
           latest_tags = git_commit_checker.local_tags_for_latest_version_commit_sha
 
           # Find the latest version with the same precision as the pinned version.
-          # Falls back to a version with the closest precision if no exact match.
-          current_dots = dependency.version.split(".").length
-          latest_tags.max do |a, b|
-            next a[:version] <=> b[:version] unless shortened_semver_version_eq?(a[:version], b[:version])
-
-            a_dots = a[:version].to_s.split(".").length
-            b_dots = b[:version].to_s.split(".").length
-            a_diff = (a_dots - current_dots).abs
-            b_diff = (b_dots - current_dots).abs
-            next -(a_diff <=> b_diff) unless a_diff == b_diff
-
-            # preference to a less specific version if we have a tie
-            next 1 if a_dots < current_dots
-
-            -1
-          end
+          current_precision = precision(dependency.version)
+          latest_tags.select { |tag| precision(tag[:version].to_s) == current_precision }.max_by { |tag| tag[:version] }
         end
       end
 
+      def precision(version)
+        version.split(".").length
+      end
+
       def updated_source
         # TODO: Support Docker sources
         return dependency_source_details unless git_dependency?
@@ -193,13 +183,6 @@ def shortened_semver_eq?(base, other)
         other_split[0..base_split.length - 1] == base_split
       end
 
-      def shortened_semver_version_eq?(base_version, other_version)
-        base = base_version.to_s
-        other = other_version.to_s
-
-        shortened_semver_eq?(base, other) || shortened_semver_eq?(other, base)
-      end
-
       def find_container_branch(sha)
         SharedHelpers.run_shell_command("git fetch #{current_commit}")
 

github_actions/spec/dependabot/github_actions/update_checker_spec.rb

@@ -303,35 +303,35 @@
         let(:reference) { "v1" }
         let(:latest_versions) { ["2.1", "2.1.0"] }
 
-        it "chooses the closest precision version" do
-          expect(subject).to eq(Dependabot::GithubActions::Version.new("2.1"))
+        it "does not choose a version with different precision" do
+          expect(subject).to be_nil
         end
       end
 
       context "using the major minor version" do
         let(:reference) { "v1.0" }
         let(:latest_versions) { ["2", "2.1.0"] }
 
-        it "choses the lower precision version when equidistant" do
-          expect(subject).to eq(Dependabot::GithubActions::Version.new("2"))
+        it "does not choose a version with different precision" do
+          expect(subject).to be_nil
         end
       end
 
       context "using the full version" do
         let(:reference) { "v1.0.0" }
         let(:latest_versions) { ["2", "2.1"] }
 
-        it "chooses the closest precision version" do
-          expect(subject).to eq(Dependabot::GithubActions::Version.new("2.1"))
+        it "does not choose a version with different precision" do
+          expect(subject).to be_nil
         end
       end
 
-      context "when a lower version is tagged to the same commit" do
+      context "using the full version" do
         let(:reference) { "v1.0.0" }
         let(:latest_versions) { ["1.0.5", "2", "2.1"] }
 
-        it "chooses the closest precision of the latest version" do
-          expect(subject).to eq(Dependabot::GithubActions::Version.new("2.1"))
+        it "chooses a higher version with the same precision" do
+          expect(subject).to eq(Dependabot::GithubActions::Version.new("1.0.5"))
         end
       end
     end