fix: correct bounds out of range error#130
Conversation
|
In addition to the example shared above, this change would resolve panic issues for other heavily used actions, such as actions/github-script v8.0.0 release (which is tied to tag Merging this fix would remove a reoccurring burden when setting up new workflows! |
sethvargo
left a comment
There was a problem hiding this comment.
Could you add a test or two for this? I think this might be introducing another subtle bug.
| if strings.Count(version, ".") < strings.Count(githubRef.ref, ".") { | ||
| version = githubRef.ref | ||
| } | ||
| if strings.HasPrefix(ref, "v") { | ||
| refPrecision := strings.Count(githubRef.ref, ".") | ||
| versionParts := strings.Split(*release.TagName, ".") | ||
| versionParts := strings.Split(version, ".") |
There was a problem hiding this comment.
Does this produce the correct result when the latest release has a different major version with fewer dots? If *release.TagName is v4 and githubRef.ref is v3.0.0, the condition strings.Count("v4", ".") < strings.Count("v3.0.0", ".") is true, so version becomes v3.0.0. The function then returns the user's stale ref instead of the latest release. The dot-count comparison assumes both values refer to the same version at different precisions, but nothing enforces that. A bounds check on versionParts before slicing (or padding the release tag with .0 segments) would fix the panic without this risk.
There was a problem hiding this comment.
Good point, this should be addressed in the newest commit. Thanks for the review.
When a GitHub release uses a floating tag (e.g. v3) but the workflow references a specific version (e.g. v3.0.0), LatestVersion panicked with a slice bounds out of range error. To fix this, we pad the release tag with .0 segments to match the requested precision. This ensures version upgrades work correctly for different prevision levels.
553421b to
92c975b
Compare
The Actions.LatestVersion function previously assumed that release.TagName and githubRef.ref had the same precision. This was not always true.
In some cases the release is on a floating tag like
v3and the GitHub ref comes back asv3.0.0- in this case the LatestVersion function panics with a slice bounds out of range error. This is corrected by checking the precision of the release tag against the GitHub ref prior to manipulation.Test file:
Current behavior:
New behavior:
All existing test cases still pass without modification.