dependabot-core Fix github actions versions comment not updated in an edge case

What are you trying to accomplish?

If you have something like

uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5

in your workflow file, Dependabot is able to update the ref, but fails to update the version comment.

The reason is that the specific pinned ref matches two tags, v3.29.5 and v3.29.7, and Dependabot was only considering the latter for replacing the version.

This commit changes Dependabot to consider all matching tags.

Fixes #12879. Fixes #12995. Fixes #13037. Fixes #13197.

Anything you want to highlight for special attention from reviewers?

No.

How will you know you've accomplished your goal?

I reproduced the error and checked that it's fixed using the bin/dry-run.rb, although I had to manually edit it to workaround the issue fixed by #12898.

Checklist

[x] I have run the complete test suite to ensure all tests and linters pass.
[x] I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
[x] I have written clear and descriptive commit messages.
[x] I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
[x] I have ensured that the code is well-documented and easy to understand.

Sep 03 '25 17:09 deivid-rodriguez

Just noticed that this also fixes https://github.com/dependabot/dependabot-core/issues/12879, and that a copilot-driven fix was started two weeks ago at #12916. @kbukum1 feel free to close this or edit it as you see fit.

Sep 04 '25 16:09 deivid-rodriguez

Updated to also add https://github.com/dependabot/dependabot-core/issues/13037 as one more issue this PR will fix.

Sep 08 '25 11:09 deivid-rodriguez

@deivid-rodriguez thank you for your contribution, we have reviewed the fix works as expected and will merge it shortly.

Sep 11 '25 20:09 a-schur

I rebased to try get the CI green, but still failing. Given the failures are for different ecosystems, I guess I'm just being unlucky!

Sep 16 '25 09:09 deivid-rodriguez

Well, the vcpkg smoke tests do seem broken. Happy to take a stab a fixing them if necessary.

Sep 17 '25 05:09 deivid-rodriguez

Well, the vcpkg smoke tests do seem broken. Happy to take a stab a fixing them if necessary.

It seems that the tests of multiple ecosystems need to be regenerated

Sep 30 '25 17:09 yeikel

Added #13197 to the list of issues that this PR will close. Also will rebase in case the whole smoke test situation has improved.

Oct 07 '25 15:10 deivid-rodriguez

Added #13197 to the list of issues that this PR will close. Also will rebase in case the whole smoke test situation has improved.

Awesome work as always, thank you 🚀

Ping @a-schur could you please review this? Issues keep accumulating when we have a fix :)

Oct 07 '25 15:10 yeikel

@thavaahariharangit @markhallen I noticed you worked on this area of Dependabot recently via #13354

Is there any chance you can review this too?

Thanks!

Oct 22 '25 17:10 yeikel

👋 Another request to see this fix merged 🥺

For impact, as of the time of writing, there are:

1.4k public repos claiming to be using v3.29.5
236 public repos using the SHA from v3.29.5

This means 1,150+ public repos have mismatching SHAs/version comments. These cause Code Scanning alerts 👇

Oct 28 '25 17:10 landongrindheim

@a-schur Any chance you can take a second look? Thanks!

Dec 10 '25 20:12 yeikel