pre-commit updater mishandles SHA-pinned hooks when cooldown is enabled

[jmatsuzawa]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

pre-commit

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

https://github.com/jmatsuzawa/dependabot-pre-commit-cooldown-debug/blob/78769337bcc0fe9c73ab99ebe9ed419602685112/.pre-commit-config.yaml

dependabot.yml content

https://github.com/jmatsuzawa/dependabot-pre-commit-cooldown-debug/blob/78769337bcc0fe9c73ab99ebe9ed419602685112/.github/dependabot.yml

Updated dependency

• name: https://github.com/pre-commit/pre-commit-hooks
• to: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
• from: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # frozen: v5.0.0

What you expected to see, versus what you actually saw

Expected results

The pre-commit updater updates dependencies with SHA-pinned revision, when cooldown is enabled and the cooldown period has passed since new versions were released.

Actual results

The updater falsely flags all candidate versions as being in cooldown.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b  # frozen: v5.0.0
    hooks:
      - id: check-yaml

It is the same as the section "Manifest location and content before the Dependabot update"

[AbhishekBhaskar]

@jmatsuzawa this issue should be fixed now. Please let me know if its still reproducible and I'll have a further look. Thanks!

[jmatsuzawa]

@AbhishekBhaskar It works. Thank you for fixing it!