actions: expand to the most specific semver tag

[thepwagner]

Please describe the enhancement

Given a reference like actions/checkout@v3.

I'd prefer the pinned version to be: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 instead of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3

This difference makes the result (including the comment) compatible with Dependabot. Dependabot will update the commit of actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3, but leave the comment at v3.

This should only be done when multiple tags reference the same commit.

Solution Proposal

When pinning, list all tags in the repository. When a commit to be pinned can be resolved to multiple tags, choose the "most specific" tag.

Describe alternatives you've considered

We could wrap frizbee, or use a linter to discourage using major version tags.

This could be WONTFIX, treated as a bug in Dependabot: https://github.com/dependabot/dependabot-core/issues/8011 . (I have not confirmed how RenovateBot handles this case).

Additional context

No response

Acceptance Criteria

1. Have a repository using actions/checkout@v3.
2. Run frizbee to pin the actions in the repository.
3. Enable Dependabot for GitHub Actions: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
4. Receive a clean pull request upgrading to the latest pinned version (at the time of writing): actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

[jhrozek]

Sorry that this request went unanswered for such a long time, it simply fell through cracks during the summer holidays!

I think this makes sense, but I feel there might be an option needed to select between the behaviours.

Thanks for filing the issue!