filter out non-version tags in Helm update checker (#12612)

abn · web-flow · commit 704599c4fef9 · 2025-08-18T10:48:21.000+01:00
Resolves: #12423
diff --git a/helm/lib/dependabot/helm/update_checker.rb b/helm/lib/dependabot/helm/update_checker.rb
@@ -235,6 +235,14 @@ def fetch_oci_tags(chart_name, repo_url)
         oci_registry = repo_url.gsub("oci://", "")
 
         release_tags = Helpers.fetch_oci_tags("#{oci_registry}/#{chart_name}").split("\n")
+        # Filter out tags that are not valid versions (e.g., SHA256 hashes, .sig, .att, .metadata files)
+        release_tags = release_tags.select do |tag|
+          # Skip tags that start with "sha256-" or end with .sig, .att, or .metadata
+          next false if tag.start_with?("sha256-") || tag.end_with?(".sig", ".att", ".metadata")
+
+          # Use Version.correct? to check if the tag is a valid version
+          version_class.correct?(tag)
+        end
         release_tags.map { |tag| tag.tr("_", "+") }
       end
 
diff --git a/helm/spec/dependabot/helm/update_checker_spec.rb b/helm/spec/dependabot/helm/update_checker_spec.rb
@@ -118,6 +118,28 @@
           Dependabot::Helm::Version.new("1.0.124446+3123f85bdf6d8309d3d601938564a996f5cad238")
         )
       end
+
+      context "when tags include non-version tags like SHA256 hashes and metadata files" do
+        before do
+          allow(Dependabot::Helm::Helpers).to receive(:fetch_oci_tags)
+            .with("registry.sweet.security/helm/frontierchart")
+            .and_return(
+              "1.0.119807+c2277fddd003556d4982b86ef4e77fc84a41ed79\n" \
+              "1.0.124446+3123f85bdf6d8309d3d601938564a996f5cad238\n" \
+              "sha256-bbccb29e4f20037bc6c3319199138172c044d29c514431a11f0f2bfd9b694d6d\n" \
+              "sha256-bbccb29e4f20037bc6c3319199138172c044d29c514431a11f0f2bfd9b694d6d.att\n" \
+              "sha256-bbccb29e4f20037bc6c3319199138172c044d29c514431a11f0f2bfd9b694d6d.sig\n" \
+              "sha256-bbccb29e4f20037bc6c3319199138172c044d29c514431a11f0f2bfd9b694d6d.metadata\n" \
+              "1.1.0"
+            )
+        end
+
+        it "filters out non-version tags and returns the latest valid version" do
+          expect(checker.latest_version).to eq(
+            Dependabot::Helm::Version.new("1.1.0")
+          )
+        end
+      end
     end
   end
 
