Skip to content

[Bug] Dependency version suffix -vault-N incorrectly flagged as pre-release by security check #526

Description

@gandalf-at-lerian

Affected Workflow

Security (go-security, pr-security-scan)

Workflow Version / Ref

@main

Bug Description

The prerelease-check action flags github.com/hashicorp/hcl v1.0.1-vault-7 // indirect as a pre-release dependency. The regex [0-9]+\.[0-9]+\.[0-9]+-[a-zA-Z] matches any alphabetical suffix after a semver, including HashiCorp's internal stable release notation (-vault-N). This causes false positives on known-good vendor-suffixed releases.

Steps to Reproduce

  1. Add github.com/hashicorp/hcl v1.0.1-vault-7 (indirect) to a Go module's go.mod.
  2. Run the security check on a release-candidate or main branch.
  3. The check fails/blocks (instead of being advisory only) because the suffix -vault matches -[a-zA-Z].

Expected Behavior

Only real pre-release suffixes (alpha, beta, rc, dev, preview, canary, snapshot, nightly) should block. Known stable vendor-suffixed releases like -vault-N from HashiCorp should not match.

Suggested Fix

Change PRERELEASE_PATTERN to an allowlist of known pre-release keywords:

[0-9]+\.[0-9]+\.[0-9]+-(alpha|beta|rc|dev|preview|canary|snapshot|nightly)

File: src/security/prerelease-check/action.yml (~line 49).

Additional Context

Observed in LerianStudio/midaz#2176. In the develop branch the check is advisory only; in release-candidate it blocks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething is not working as expectedtriageNeeds initial assessment by the DevOps team

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions