Implement semver-compatible action pin resolution

Copilot · pelikhan · Copilot · commit f0759ec31704 · 2026-01-05T20:07:36.000Z
- Add extractMajorVersion() and isSemverCompatible() helper functions
- Update GetActionPinWithData() to prefer semver-compatible versions
- When requesting v5, now resolves to v5.0.0 (not v6.0.0)
- When requesting v4, now resolves to v4.6.2 (not v6.0.0)
- Update tests to reflect new semver-compatible behavior

Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/workflow/action_pins.go b/pkg/workflow/action_pins.go
@@ -232,23 +232,38 @@ func GetActionPinWithData(actionRepo, version string, data *WorkflowData) (strin
 		}
 
 		// No exact match found
-		// In non-strict mode, use the first pin we found (which is the highest due to sorting above)
-		// This matches the behavior of GetActionPin and GetActionPinByRepo, which return
-		// "the latest version by semver" without regard to major version boundaries.
-		// This ensures consistency across all action pin lookup functions and satisfies
-		// the requirement to "always pick the highest release according to semver".
+		// In non-strict mode, find the highest semver-compatible version
+		// Semver compatibility means respecting major version boundaries
+		// (e.g., v5 -> highest v5.x.x, not v6.x.x)
 		if !data.StrictMode && len(matchingPins) > 0 {
-			highestPin := matchingPins[0]
-			actionPinsLog.Printf("No exact match for version %s, using highest available: %s", version, highestPin.Version)
+			// Filter for semver-compatible pins (matching major version)
+			var compatiblePins []ActionPin
+			for _, pin := range matchingPins {
+				if isSemverCompatible(pin.Version, version) {
+					compatiblePins = append(compatiblePins, pin)
+				}
+			}
+			
+			// If we found compatible pins, use the highest one (first after sorting)
+			// Otherwise fall back to the highest overall pin
+			var selectedPin ActionPin
+			if len(compatiblePins) > 0 {
+				selectedPin = compatiblePins[0]
+				actionPinsLog.Printf("No exact match for version %s, using highest semver-compatible version: %s", version, selectedPin.Version)
+			} else {
+				selectedPin = matchingPins[0]
+				actionPinsLog.Printf("No exact match for version %s, no semver-compatible versions found, using highest available: %s", version, selectedPin.Version)
+			}
+			
 			// Only emit warning if the version is not a SHA (SHAs shouldn't generate warnings)
 			if !isAlreadySHA {
 				warningMsg := fmt.Sprintf("Unable to resolve %s@%s dynamically, using hardcoded pin for %s@%s",
-					actionRepo, version, actionRepo, highestPin.Version)
+					actionRepo, version, actionRepo, selectedPin.Version)
 				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(warningMsg))
 			}
-			actionPinsLog.Printf("Using highest version in non-strict mode: %s@%s (requested) → %s@%s (used)",
-				actionRepo, version, actionRepo, highestPin.Version)
-			return actionRepo + "@" + highestPin.SHA + " # " + highestPin.Version, nil
+			actionPinsLog.Printf("Using version in non-strict mode: %s@%s (requested) → %s@%s (used)",
+				actionRepo, version, actionRepo, selectedPin.Version)
+			return actionRepo + "@" + selectedPin.SHA + " # " + selectedPin.Version, nil
 		}
 	}
 
diff --git a/pkg/workflow/action_pins_test.go b/pkg/workflow/action_pins_test.go
@@ -666,20 +666,23 @@ func TestGetActionPinWithData_SemverPreference(t *testing.T) {
 			shouldFallback: true,
 		},
 		{
-			name:           "fallback to highest version for upload-artifact when requesting v4",
+			name:           "fallback to highest semver-compatible version for upload-artifact when requesting v4",
 			repo:           "actions/upload-artifact",
 			requestedVer:   "v4",
-			expectedVer:    "v6.0.0", // Falls back to v6.0.0, crossing major version boundary
+			expectedVer:    "v4.6.2", // Falls back to highest v4.x.x (semver-compatible)
+			strictMode:     false,
+			shouldFallback: true,
+			// Note: When requesting v4, the system returns v4.6.2 (the highest v4.x.x version),
+			// respecting semver compatibility and not crossing major version boundaries.
+			// This ensures that users get compatible upgrades within the same major version.
+		},
+		{
+			name:           "fallback to highest semver-compatible version for upload-artifact when requesting v5",
+			repo:           "actions/upload-artifact",
+			requestedVer:   "v5",
+			expectedVer:    "v5.0.0", // Falls back to highest v5.x.x (semver-compatible), not v6.0.0
 			strictMode:     false,
 			shouldFallback: true,
-			// Note: This behavior matches GetActionPin and GetActionPinByRepo which return
-			// "the latest version by semver" without regard to major version boundaries.
-			// When requesting v4, the system returns v6.0.0 (the highest available version),
-			// which crosses a major version boundary. This ensures consistency across all
-			// action pin lookup functions and matches the requirement to "always pick the
-			// highest release according to semver". Users expecting semver-compatible
-			// resolution within the same major version should request specific versions
-			// (e.g., v4.6.2) instead of generic major versions (v4).
 		},
 		{
 			name:           "exact match for upload-artifact v4",
diff --git a/pkg/workflow/semver.go b/pkg/workflow/semver.go
@@ -44,3 +44,37 @@ func compareVersions(v1, v2 string) int {
 	semverLog.Printf("Version comparison result: %s == %s", v1, v2)
 	return 0
 }
+
+// extractMajorVersion extracts the major version number from a version string
+// Examples: "v5.0.0" -> 5, "v6" -> 6, "5.1.0" -> 5
+func extractMajorVersion(version string) int {
+	// Strip 'v' prefix if present
+	v := strings.TrimPrefix(version, "v")
+	
+	// Split by '.' and get the first part
+	parts := strings.Split(v, ".")
+	if len(parts) > 0 {
+		var major int
+		fmt.Sscanf(parts[0], "%d", &major)
+		return major
+	}
+	
+	return 0
+}
+
+// isSemverCompatible checks if pinVersion is semver-compatible with requestedVersion
+// Semver compatibility means the major version must match
+// Examples:
+//   - isSemverCompatible("v5.0.0", "v5") -> true
+//   - isSemverCompatible("v5.1.0", "v5.0.0") -> true
+//   - isSemverCompatible("v6.0.0", "v5") -> false
+func isSemverCompatible(pinVersion, requestedVersion string) bool {
+	pinMajor := extractMajorVersion(pinVersion)
+	requestedMajor := extractMajorVersion(requestedVersion)
+	
+	compatible := pinMajor == requestedMajor
+	semverLog.Printf("Checking semver compatibility: pin=%s (major=%d), requested=%s (major=%d) -> %v",
+		pinVersion, pinMajor, requestedVersion, requestedMajor, compatible)
+	
+	return compatible
+}
