Don't ever update GitHub Actions unless they are actually pinned

github_actions/lib/dependabot/github_actions/file_parser.rb

@@ -46,7 +46,13 @@ def workfile_file_dependencies(file)
 
         uses_strings.each do |string|
           # TODO: Support Docker references and path references
-          dependency_set << build_github_dependency(file, string) if string.match?(GITHUB_REPO_REFERENCE)
+          next unless string.match?(GITHUB_REPO_REFERENCE)
+
+          dep = build_github_dependency(file, string)
+          git_checker = Dependabot::GitCommitChecker.new(dependency: dep, credentials: credentials)
+          next unless git_checker.pinned?
+
+          dependency_set << dep
         end
 
         dependency_set

github_actions/spec/dependabot/github_actions/file_parser_spec.rb

@@ -30,9 +30,25 @@
     )
   end
 
+  def mock_service_pack_request(nwo)
+    stub_request(:get, "https://github.com/#{nwo}.git/info/refs?service=git-upload-pack").
+      to_return(
+        status: 200,
+        body: fixture("git", "upload_packs", "checkout"),
+        headers: {
+          "content-type" => "application/x-git-upload-pack-advertisement"
+        }
+      )
+  end
+
   describe "parse" do
     subject(:dependencies) { parser.parse }
 
+    before do
+      mock_service_pack_request("actions/checkout")
+      mock_service_pack_request("actions/setup-node")
+    end
+
     its(:length) { is_expected.to eq(2) }
 
     describe "the first dependency" do
@@ -45,24 +61,28 @@
           source: {
             type: "git",
             url: "https://github.com/actions/checkout",
-            ref: "master",
+            ref: "v1",
             branch: nil
           },
-          metadata: { declaration_string: "actions/checkout@master" }
+          metadata: { declaration_string: "actions/checkout@v1" }
         }]
       end
 
       it "has the right details" do
         expect(dependency).to be_a(Dependabot::Dependency)
         expect(dependency.name).to eq("actions/checkout")
-        expect(dependency.version).to be_nil
+        expect(dependency.version).to eq("1")
         expect(dependency.requirements).to eq(expected_requirements)
       end
     end
 
     context "with a path" do
       let(:workflow_file_fixture_name) { "workflow_monorepo.yml" }
 
+      before do
+        mock_service_pack_request("actions/aws")
+      end
+
       its(:length) { is_expected.to eq(2) }
 
       describe "the last dependency" do
@@ -75,28 +95,28 @@
             source: {
               type: "git",
               url: "https://github.com/actions/aws",
-              ref: "master",
+              ref: "v1.0.0",
               branch: nil
             },
-            metadata: { declaration_string: "actions/aws/ec2@master" }
+            metadata: { declaration_string: "actions/aws/ec2@v1.0.0" }
           }, {
             requirement: nil,
             groups: [],
             file: ".github/workflows/workflow.yml",
             source: {
               type: "git",
               url: "https://github.com/actions/aws",
-              ref: "master",
+              ref: "v1.0.0",
               branch: nil
             },
-            metadata: { declaration_string: "actions/aws@master" }
+            metadata: { declaration_string: "actions/aws@v1.0.0" }
           }]
         end
 
         it "has the right details" do
           expect(dependency).to be_a(Dependabot::Dependency)
           expect(dependency.name).to eq("actions/aws")
-          expect(dependency.version).to be_nil
+          expect(dependency.version).to eq("1.0.0")
           expect(dependency.requirements).to eq(expected_requirements)
         end
       end
@@ -118,17 +138,6 @@
             branch: nil
           },
           metadata: { declaration_string: "actions/[email protected]" }
-        }, {
-          requirement: nil,
-          groups: [],
-          file: ".github/workflows/workflow.yml",
-          source: {
-            type: "git",
-            url: "https://github.com/actions/checkout",
-            ref: "master",
-            branch: nil
-          },
-          metadata: { declaration_string: "actions/checkout@master" }
         }]
       end
 
@@ -193,6 +202,12 @@
 
       its(:length) { is_expected.to eq(4) }
 
+      before do
+        mock_service_pack_request("docker/setup-qemu-action")
+        mock_service_pack_request("docker/setup-buildx-action")
+        mock_service_pack_request("docker/login-action")
+      end
+
       context "the first dependency" do
         subject(:dependency) { dependencies.first }
 
@@ -245,20 +260,6 @@
 
     context "with a semver tag pinned to a reusable workflow commit" do
       let(:workflow_file_fixture_name) { "workflow_semver_reusable.yml" }
-      let(:service_pack_url) do
-        "https://github.com/actions/checkout.git/info/refs" \
-          "?service=git-upload-pack"
-      end
-      before do
-        stub_request(:get, service_pack_url).
-          to_return(
-            status: 200,
-            body: fixture("git", "upload_packs", "checkout"),
-            headers: {
-              "content-type" => "application/x-git-upload-pack-advertisement"
-            }
-          )
-      end
 
       its(:length) { is_expected.to eq(1) }
 

github_actions/spec/dependabot/github_actions/file_updater_spec.rb

@@ -116,7 +116,7 @@
                 ref: "v1.1.0",
                 branch: nil
               },
-              metadata: { declaration_string: "actions/aws/ec2@master" }
+              metadata: { declaration_string: "actions/aws/ec2@v1.0.0" }
             }, {
               requirement: nil,
               groups: [],
@@ -127,7 +127,7 @@
                 ref: "v1.1.0",
                 branch: nil
               },
-              metadata: { declaration_string: "actions/aws@master" }
+              metadata: { declaration_string: "actions/aws@v1.0.0" }
             }],
             previous_requirements: [{
               requirement: nil,
@@ -136,21 +136,21 @@
               source: {
                 type: "git",
                 url: "https://github.com/actions/aws",
-                ref: "master",
+                ref: "v1.0.0",
                 branch: nil
               },
-              metadata: { declaration_string: "actions/aws/ec2@master" }
+              metadata: { declaration_string: "actions/aws/ec2@v1.0.0" }
             }, {
               requirement: nil,
               groups: [],
               file: ".github/workflows/workflow.yml",
               source: {
                 type: "git",
                 url: "https://github.com/actions/aws",
-                ref: "master",
+                ref: "v1.0.0",
                 branch: nil
               },
-              metadata: { declaration_string: "actions/aws@master" }
+              metadata: { declaration_string: "actions/aws@v1.0.0" }
             }],
             package_manager: "github_actions"
           )

github_actions/spec/fixtures/workflow_files/workflow.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v1
 
     - name: Use Node.js 10.x
-      uses: actions/setup-node@master
+      uses: actions/setup-node@v1
       with:
         version: 10.x
 

github_actions/spec/fixtures/workflow_files/workflow_monorepo.yml

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v1
 
     - name: Use Node.js 10.x
-      uses: actions/aws/ec2@master
+      uses: actions/aws/ec2@v1.0.0
       with:
         version: 10.x
 
@@ -28,6 +28,6 @@ jobs:
     - uses: actions/checkout@master
 
     - name: Use Node.js ${{matrix.node}}.x
-      uses: actions/aws@master
+      uses: actions/aws@v1.0.0
       with:
         version: ${{matrix.node}}.x