Fix updating to tags with a branch with same name

common/lib/dependabot/git_commit_checker.rb

@@ -49,8 +49,14 @@ def pinned?
       return true if branch
       return true if dependency.version&.start_with?(ref)
 
-      # Check the specified `ref` isn't actually a branch
-      !local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # If the specified `ref` is actually a tag, we're pinned
+      return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
+
+      # If the specified `ref` is actually a branch, we're NOT pinned
+      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+
+      # Otherwise, assume we're pinned
+      true
     end
 
     def pinned_ref_looks_like_version?

github_actions/spec/dependabot/github_actions/update_checker_spec.rb

@@ -243,6 +243,12 @@
         end
       end
 
+      context "and the latest version being also a branch" do
+        let(:upload_pack_fixture) { "msbuild" }
+
+        it { is_expected.to eq(Dependabot::GithubActions::Version.new("1.1.3")) }
+      end
+
       context "that is a major-only tag of the the latest version" do
         let(:reference) { "v1" }
         it { is_expected.to eq(Dependabot::GithubActions::Version.new("v1")) }

github_actions/spec/fixtures/git/upload_packs/msbuild

@@ -0,0 +1,68 @@
+001e# service=git-upload-pack
+000001560b44c6745b7e81956596964100aadb92d667c497 HEAD multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want allow-reachable-sha1-in-want no-done symref=HEAD:refs/heads/master filter object-format=sha1 agent=git/github-gcaaf1c4b6630
+005b0fc2502ca49f277016260bdd89c70e0c16a7cf4e refs/heads/dependabot/npm_and_yarn/ajv-6.12.6
+006db7835cef05cc81bdb8c67ea14346cdcd7c89fd81 refs/heads/dependabot/npm_and_yarn/json-schema-and-jsprim-0.4.0
+005b1d97ad85a9755ff291da008c63fe2b08238535e5 refs/heads/dependabot/npm_and_yarn/tmpl-1.0.5
+003c6a8fedefe94395d1c2193b87c6d83224d6e87569 refs/heads/dev
+003f0b44c6745b7e81956596964100aadb92d667c497 refs/heads/master
+003ffc16ae6170877cd889e5d735ea9d41c2362078b2 refs/heads/v1.0.0
+003f8dc49dbd173d2e84b142c0b65eef06ad36ccc82c refs/heads/v1.0.1
+003fc26a08ba26249b81327e26f6ef381897b6a8754d refs/heads/v1.0.2
+003f9546707e6b8f513d3a2af998e51e3b995c9fbe81 refs/heads/v1.0.3
+003fab534842b4bdf384b8aaf93765dc6f721d9f5fab refs/heads/v1.1.0
+003fb381dbabab030b2d16c2c87be6e0fdfadb75628a refs/heads/v1.1.1
+003fd6496d378fd258c01b23231ffff1e73808f126e7 refs/heads/v1.1.2
+003f34cfbaee7f672c76950673338facd8a73f637506 refs/heads/v1.1.3
+003e2008f912f56e61277eefaac6d1888b750582aa16 refs/pull/1/head
+003f93e160075a116879b0927816549540701146b3e5 refs/pull/11/head
+003fc4f3bee2c44d35fbdd918d508c6bca44132fad82 refs/pull/12/head
+003fc9ef9479351644e79a048f53964bbd9d357ead05 refs/pull/14/head
+003f9c9a1a34a4c6a9f36400e23e479b9c33ec98a4bb refs/pull/15/head
+003ff05df80b32f8b835cfbd3b002f3bb3f59f9a4d43 refs/pull/16/head
+003f341cfb53e30b7748ba6bfdf007e641462556042a refs/pull/17/head
+003f0d4f73260bc92ffdfd6052dd962cc5ccb954575b refs/pull/19/head
+003f06c9a7f31c273c6a22e43aa4e92c2a185a4d9dee refs/pull/21/head
+003fe82103acef14ac8c7dd76d6997a4ba7cfda1bcfc refs/pull/22/head
+004028d2c305055d6141bd15ff04523719117a574a48 refs/pull/22/merge
+003f0b5643901b0999aee1e981a4ae1c8bbf7e90484d refs/pull/23/head
+003fa0858ffef3d2e5dd0a5d785f4875c4b6285add75 refs/pull/25/head
+003fcbeaa72a9f112eb29acac0430556277b10e00a49 refs/pull/31/head
+003f4813f144a2145028fee526004a6b6aac0c2d80a5 refs/pull/37/head
+003f1c5a706e2695e453c6919dd43f598dbd445b73d6 refs/pull/39/head
+003ff00648bcdcfd5713fb8347b4f927ad51fbafc8c7 refs/pull/40/head
+003f7626c90a395f6403e9bf21ea09cd14ef7f000931 refs/pull/46/head
+003fbabd7930ed54e6f5cb5f9ee592b6031216cb4255 refs/pull/51/head
+003f9afe006fef5dd1c8b6ab1eae71caec99bb2f7e5c refs/pull/52/head
+003f047d9a067883f2e2ea6cd9a08bbc2b2d6bbeddb5 refs/pull/53/head
+003f455ec54ae7025c970e5fc4dc9a14283e7298883f refs/pull/56/head
+003f412f2703681bd1e2107f511ab857c92252afb803 refs/pull/57/head
+003e43cd4ebaecd8cd9bf7c95fc18edbdba1252d7482 refs/pull/6/head
+003f9546707e6b8f513d3a2af998e51e3b995c9fbe81 refs/pull/60/head
+003f2cbcfcb79598175f7aebe742012225f5a8657d31 refs/pull/61/head
+003f1d97ad85a9755ff291da008c63fe2b08238535e5 refs/pull/62/head
+00402667aad3e9773cef990d798a6286b44fd72b17f4 refs/pull/62/merge
+003f84e0d709b2c782782b075c1f5a7173b76b6115b2 refs/pull/65/head
+003f281b95dea87d381cd268f481dc51b7ef5da8fa04 refs/pull/66/head
+0040cd91c225762ecb1e922c2b7474c80b35be65019c refs/pull/66/merge
+003fce3de01b52669a228622f9e280b9f068c7cf4163 refs/pull/68/head
+003f0fc2502ca49f277016260bdd89c70e0c16a7cf4e refs/pull/75/head
+00402f7844feb6aa4bf20998c09b4b94ba3b261d970a refs/pull/75/merge
+003f7a1ab92e6cf81d5a6b4797ad4c4dd0cfcb428e80 refs/pull/87/head
+003f50f8578df565ecf193e9bbbf6acd76c66b34d92e refs/pull/89/head
+003e70efaa8b2d06055da6239191f0ae35144119b4c5 refs/pull/9/head
+003fd6496d378fd258c01b23231ffff1e73808f126e7 refs/pull/90/head
+003fb7835cef05cc81bdb8c67ea14346cdcd7c89fd81 refs/pull/91/head
+00408199e0cbd1e75594a89361cf458ee38b093fa95a refs/pull/91/merge
+003f71b0754fb20d8beb7590e2cd1a91a12bbda4324f refs/pull/92/head
+003f34cfbaee7f672c76950673338facd8a73f637506 refs/pull/94/head
+003a127f7c3fc66419bb77fc6703c497db0e1e3e8c74 refs/tags/v1
+003d34cfbaee7f672c76950673338facd8a73f637506 refs/tags/v1^{}
+003e8dc49dbd173d2e84b142c0b65eef06ad36ccc82c refs/tags/v1.0.1
+003ec26a08ba26249b81327e26f6ef381897b6a8754d refs/tags/v1.0.2
+003e9546707e6b8f513d3a2af998e51e3b995c9fbe81 refs/tags/v1.0.3
+003c4ec49e314e52344e4b6e3aba15a3c519f7129419 refs/tags/v1.1
+003f34cfbaee7f672c76950673338facd8a73f637506 refs/tags/v1.1^{}
+003ed6496d378fd258c01b23231ffff1e73808f126e7 refs/tags/v1.1.2
+003e905a7b699b34b9b34158ec6b839167581ce1db62 refs/tags/v1.1.3
+004134cfbaee7f672c76950673338facd8a73f637506 refs/tags/v1.1.3^{}
+0000