Affected Workflow
Security (go-security, pr-security-scan)
Workflow Version / Ref
@main
Bug Description
The prerelease-check action flags github.com/hashicorp/hcl v1.0.1-vault-7 // indirect as a pre-release dependency. The regex [0-9]+\.[0-9]+\.[0-9]+-[a-zA-Z] matches any alphabetical suffix after a semver, including HashiCorp's internal stable release notation (-vault-N). This causes false positives on known-good vendor-suffixed releases.
Steps to Reproduce
- Add
github.com/hashicorp/hcl v1.0.1-vault-7 (indirect) to a Go module's go.mod.
- Run the security check on a
release-candidate or main branch.
- The check fails/blocks (instead of being advisory only) because the suffix
-vault matches -[a-zA-Z].
Expected Behavior
Only real pre-release suffixes (alpha, beta, rc, dev, preview, canary, snapshot, nightly) should block. Known stable vendor-suffixed releases like -vault-N from HashiCorp should not match.
Suggested Fix
Change PRERELEASE_PATTERN to an allowlist of known pre-release keywords:
[0-9]+\.[0-9]+\.[0-9]+-(alpha|beta|rc|dev|preview|canary|snapshot|nightly)
File: src/security/prerelease-check/action.yml (~line 49).
Additional Context
Observed in LerianStudio/midaz#2176. In the develop branch the check is advisory only; in release-candidate it blocks.
Affected Workflow
Security (go-security, pr-security-scan)
Workflow Version / Ref
@mainBug Description
The
prerelease-checkaction flagsgithub.com/hashicorp/hcl v1.0.1-vault-7 // indirectas a pre-release dependency. The regex[0-9]+\.[0-9]+\.[0-9]+-[a-zA-Z]matches any alphabetical suffix after a semver, including HashiCorp's internal stable release notation (-vault-N). This causes false positives on known-good vendor-suffixed releases.Steps to Reproduce
github.com/hashicorp/hcl v1.0.1-vault-7(indirect) to a Go module'sgo.mod.release-candidateormainbranch.-vaultmatches-[a-zA-Z].Expected Behavior
Only real pre-release suffixes (
alpha,beta,rc,dev,preview,canary,snapshot,nightly) should block. Known stable vendor-suffixed releases like-vault-Nfrom HashiCorp should not match.Suggested Fix
Change
PRERELEASE_PATTERNto an allowlist of known pre-release keywords:File:
src/security/prerelease-check/action.yml(~line 49).Additional Context
Observed in LerianStudio/midaz#2176. In the
developbranch the check is advisory only; inrelease-candidateit blocks.