fix(manager/github-actions): disable updates for bare SHA pins without version comment (renovatebot#42398)

* fix(manager/github-actions): disable updates for naked SHA pins without version comment

* docs(manager/github-actions): document disabled updates for bare SHA pins

* test(manager/github-actions): use single toEqual for version comment assertions

* docs(manager/github-actions): recommend version comment as primary fix for bare SHA pins

* fix(manager/github-actions): add skipReason for naked SHA pins

* docs(manager/github-actions): remove package rule example for re-enabling bare SHA updates

Co-authored-by: Jamie Tanna <github@jamietanna.co.uk>

---------

Co-authored-by: Jamie Tanna <github@jamietanna.co.uk>

Author: shaanmajid

lib/modules/manager/github-actions/__snapshots__/extract.spec.ts.snap

@@ -41,7 +41,9 @@ exports[`modules/manager/github-actions/extract > extractPackageFile() > extract
     "datasource": "github-tags",
     "depName": "docker/setup-qemu-action",
     "depType": "action",
+    "enabled": false,
     "replaceString": "docker/setup-qemu-action@c308fdd69d26ed66f4506ebd74b180abe5362145",
+    "skipReason": "unversioned-reference",
     "versioning": "docker",
   },
   {

lib/modules/manager/github-actions/extract.spec.ts

@@ -524,6 +524,93 @@ describe('modules/manager/github-actions/extract', () => {
       });
     });
 
+    it('disables naked SHA pins without version comment', () => {
+      const res = extractPackageFile(
+        codeBlock`
+        jobs:
+          build:
+            steps:
+              - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        `,
+        'workflow.yml',
+      );
+      expect(res?.deps[0]).toMatchObject({
+        depName: 'actions/checkout',
+        currentDigest: 'c85c95e3d7251135ab7dc9ce3241c5835cc595a9',
+        currentValue: undefined,
+        enabled: false,
+        skipReason: 'unversioned-reference',
+      });
+    });
+
+    it('disables naked short SHA pins without version comment', () => {
+      const res = extractPackageFile(
+        codeBlock`
+        jobs:
+          build:
+            steps:
+              - uses: actions/checkout@c85c95e
+        `,
+        'workflow.yml',
+      );
+      expect(res?.deps[0]).toMatchObject({
+        depName: 'actions/checkout',
+        currentDigestShort: 'c85c95e',
+        currentValue: undefined,
+        enabled: false,
+        skipReason: 'unversioned-reference',
+      });
+    });
+
+    it('does not disable SHA pins with version comment', () => {
+      const res = extractPackageFile(
+        codeBlock`
+        jobs:
+          build:
+            steps:
+              - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v4
+        `,
+        'workflow.yml',
+      );
+      expect(res?.deps[0]).toEqual({
+        depName: 'actions/checkout',
+        commitMessageTopic: '{{{depName}}} action',
+        versioning: 'docker',
+        depType: 'action',
+        replaceString:
+          'actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v4',
+        autoReplaceStringTemplate:
+          '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+        currentValue: 'v4',
+        currentDigest: 'c85c95e3d7251135ab7dc9ce3241c5835cc595a9',
+        datasource: 'github-tags',
+      });
+    });
+
+    it('does not disable short SHA pins with version comment', () => {
+      const res = extractPackageFile(
+        codeBlock`
+        jobs:
+          build:
+            steps:
+              - uses: actions/checkout@c85c95e # v4
+        `,
+        'workflow.yml',
+      );
+      expect(res?.deps[0]).toEqual({
+        depName: 'actions/checkout',
+        commitMessageTopic: '{{{depName}}} action',
+        versioning: 'docker',
+        depType: 'action',
+        replaceString: 'actions/checkout@c85c95e # v4',
+        autoReplaceStringTemplate:
+          '{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}',
+        currentValue: 'v4',
+        currentDigestShort: 'c85c95e',
+        datasource: 'github-tags',
+      });
+    });
+
     it('extracts actions with fqdn', () => {
       const res = extractPackageFile(
         codeBlock`

lib/modules/manager/github-actions/extract.ts

@@ -130,6 +130,11 @@ function extractRepositoryAction(
     dep.currentValue = ref;
   }
 
+  if (!dep.currentValue) {
+    dep.enabled = false;
+    dep.skipReason = 'unversioned-reference';
+  }
+
   const isVersionLike =
     dep.currentValue && versionLikeRe.test(dep.currentValue);
   if (!dep.datasource && dep.currentValue && !isVersionLike) {

lib/modules/manager/github-actions/readme.md

@@ -39,6 +39,9 @@ If you want to automatically pin action digests add the `helpers:pinGitHubAction
 }
 ```
 
+Actions pinned to a bare SHA without a version comment are disabled by default, because Renovate cannot determine which branch or tag the SHA belongs to.
+To enable updates, add a tag or branch name as a version comment, as shown above.
+
 ### Non-semver refs (branches and feature tags)
 
 Renovate supports GitHub Actions that reference non-semver refs like branch names (`main`, `master`) or feature-oriented tags (`cargo-llvm-cov`).