Respect tag format also when updating actions pinned to SHAs

common/lib/dependabot/git_commit_checker.rb

@@ -146,9 +146,9 @@ def most_specific_tag_equivalent_to_pinned_ref
     end
 
     def local_tag_for_pinned_sha
-      return unless pinned_ref_looks_like_commit_sha?
+      return @local_tag_for_pinned_sha if defined?(@local_tag_for_pinned_sha)
 
-      most_specific_version_tag_for_sha(ref)
+      @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
     def git_repo_reachable?
@@ -349,10 +349,18 @@ def version_tag?(tag)
     end
 
     def matches_existing_prefix?(tag)
-      return true unless ref_or_branch&.match?(VERSION_REGEX)
+      return true unless ref_or_branch
 
-      ref_or_branch.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
-        tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
+      if version_tag?(ref_or_branch)
+        same_prefix?(ref_or_branch, tag)
+      else
+        local_tag_for_pinned_sha.nil? || same_prefix?(local_tag_for_pinned_sha, tag)
+      end
+    end
+
+    def same_prefix?(tag, other_tag)
+      tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
+        other_tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
     def to_local_tag(tag)

github_actions/spec/dependabot/github_actions/update_checker_spec.rb

@@ -385,6 +385,14 @@
 
         it { is_expected.to eq(Gem::Version.new("1.1.0")) }
       end
+
+      context "and there's a higher version tag, but one not matching the existing tag format" do
+        let(:upload_pack_fixture) { "codeql" }
+        let(:v2_3_6_tag_sha) { "83f0fe6c4988d98a455712a27f0255212bba9bd4" }
+        let(:reference) { v2_3_6_tag_sha }
+
+        it { is_expected.to eq(Gem::Version.new("2.3.6")) }
+      end
     end
 
     context "given a dependency with multiple git refs" do