fix(github_actions): Use tagged release commit for SHA-pinned refs without local tag

[scottschreckengaust]

Summary

When a SHA-pinned GitHub Action ref has no matching version tag (local_tag_for_pinned_sha returns nil), latest_commit_sha previously fell through to latest_commit_for_pinned_ref which resolved to the HEAD of the containing branch — an untagged commit. This caused:

• Updates pointing at untagged commits (often on main) instead of tagged release commits (often on releases/vN)
• Version comments left stale and misleading (e.g., # v4.31.9 when the SHA is actually an unrelated main branch HEAD)
• A self-perpetuating cycle: once an untagged SHA enters a workflow, every subsequent update takes the same wrong path

This is especially common with action repos using a release branch workflow like github/codeql-action (tags on releases/v4, development on main).

Changes

• update_checker.rb: Simplified latest_commit_sha to always use new_tag.fetch(:commit_sha) when a latest version tag exists. Removed the now-unused source_checker parameter, the local_tag_for_pinned_sha gate, and the dead latest_commit_for_pinned_ref / find_container_branch methods.
• package_details_fetcher.rb: Same fix — always return T.must(latest_version_tag).fetch(:version) for SHA-pinned refs. Removed dead methods and the now-unnecessary rubocop:disable Metrics/PerceivedComplexity directive.
• update_checker_spec.rb: Added new test for the bug scenario. Consolidated the four identical "git commit SHA not pointing to tip of branch" sub-contexts (default branch, different branch, multiple branches with/without default) into a single test — since find_container_branch was removed, branch membership no longer affects behavior, and RuboCop flagged the repeated bodies (RSpec/RepeatedExampleGroupBody). Updated remaining tests to expect tagged versions instead of branch HEAD commits.
• package_details_fetcher_spec.rb: Updated "realworld repository" and "tip of master" tests to expect tagged versions instead of branch HEAD commits.
• latest_version_finder_spec.rb: Updated SHA-at-branch-tip test to expect tagged version instead of commit SHA.

Root Cause

# Before (buggy):
def latest_commit_sha(source_checker)
  new_tag = T.must(latest_version_finder).latest_version_tag
  return unless new_tag
  if source_checker.local_tag_for_pinned_sha
    new_tag.fetch(:commit_sha)       # Only when current SHA has a tag
  else
    latest_commit_for_pinned_ref     # BUG: returns untagged branch HEAD
  end
end

# After (fixed):
def latest_commit_sha
  new_tag = T.must(latest_version_finder).latest_version_tag
  return unless new_tag
  new_tag.fetch(:commit_sha)         # Always use the tagged release commit
end

The else branch was only reachable when new_tag already existed (we return nil before it), making it contradictory to ignore the resolved tag and return a branch HEAD instead.

Test plan

• New test: SHA-pinned ref without local tag resolves to tagged release commit SHA
• Updated existing tests for new behavior (tagged version instead of branch HEAD)
• Consolidated repeated RSpec context bodies to fix RSpec/RepeatedExampleGroupBody lint
• Wrapped nilable latest_version_tag with T.must() for Sorbet compliance
• Removed stale rubocop:disable Metrics/PerceivedComplexity directive
• update_checker_spec.rb: 83 examples, 0 failures
• package_details_fetcher_spec.rb: 21 examples, 0 failures
• latest_version_finder_spec.rb: passing
• Manual verification with dependabot/cli against a repo using github/codeql-action SHA pins

Fixes #14716
Related: #7912, #8011, #13466, #14685

🤖 Generated with Claude Code