allowedVersions: "<6" silently broken by github-actions versioning change

[TWiStErRob]

How are you running Renovate?

A Mend.io-hosted app

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

unknown exact version — issue started April 16

Please tell us more about your question or problem

(AI generated, human reviewed)

What happened

We use a shared Renovate preset across ~200 repos with this rule to block a new major version of a GitHub action:

{
    "matchManagers": ["github-actions"],
    "matchPackageNames": ["actions/checkout"],
    "allowedVersions": "<6"
}

This worked correctly when merged on March 25 — Renovate closed all existing v6 PRs.

Starting April 16, Renovate began reopening/creating v6 PRs across all repos in our org. The PRs churn: closing, reopening, and rebasing repeatedly.

The bug

parseRange() uses semver.coerce() which extracts a number from any string containing digits — including semver range operators like <6, >=5, ~4, ^3. This makes isValid() return true for these expressions, preventing the semver range fallback in filter.ts from ever running.

Root cause analysis

The github-actions manager's default versioning changed multiple times in quick succession:

Date	Commit	Change
Apr 16	da04b8e	docker → semver-partial
Apr 17	db64cc6	reverted back to docker
Apr 21	57d5fb3	docker → github-actions (new custom versioning)

The new github-actions versioning (lib/modules/versioning/github-actions/index.ts) breaks allowedVersions range expressions like <6.

Here's why — tracing through filter.ts's allowedVersions evaluation:

Step 1 — filter.ts L113–L116: allowedVersions evaluation starts.

const isAllowedPred = getRegexPredicate(allowedVersions);
if (isAllowedPred) {           // ← "<6" is not a regex, skip
} else if (versioningApi.isValid(allowedVersions)) {  // ← THIS is the problem branch
  filteredReleases = filteredReleases.filter((r) =>
    versioningApi.matches(r.version, allowedVersions),  // ← uses versioning's matches()
  );
} else if (... semver.validRange(allowedVersions)) {   // ← correct semver fallback, never reached

Step 2 — github-actions/index.ts isValid: called with "<6".

function isValid(input: string): boolean {
  return !!parseVersion(input) || !!parseRange(input);  // parseVersion("<6") = null, but parseRange("<6") = truthy!
}

Step 3 — github-actions/index.ts parseRange: called with "<6".

function parseRange(input: string): Range | null {
  const stripped = massageValue(input);    // massageValue("<6") = "<6" (only strips leading "v")
  const coerced = semver.coerce(stripped); // semver.coerce("<6") = SemVer{6,0,0} — coerce extracts "6" from ANY string!
  if (!coerced) { return null; }
  const { major, minor } = coerced;        // major=6, minor=0

  if (regEx(/^\d+$/).test(stripped)) {     // "<6" doesn't match /^\d+$/, falls through
    return { major };
  }
  return { major, minor };                 // returns { major: 6, minor: 0 } ← WRONG, "<6" is not a floating tag
}

Step 4 — back in filter.ts, since isValid("<6") returned true, it calls matches("v6.0.1", "<6"):

function matches(version: string, range: string): boolean {
  // #42809 early return: massageValue("v6.0.1")="6.0.1" ≠ massageValue("<6")="<6", skip
  const v = parseVersion(version);     // parseVersion("v6.0.1") = SemVer{6,0,1}
  const rv = parseVersion(range);      // parseVersion("<6") = null, skip
  const r = parseRange(range);         // parseRange("<6") = { major: 6, minor: 0 } (same as step 3)
  // ...
  if (v.major !== r.major) return false;  // 6 === 6, continue
  if (isUndefined(r.minor)) return true;  // r.minor = 0 (defined), continue
  return v.minor === r.minor;             // 0 === 0 → true ← v6.0.1 ALLOWED through ❌
}

Previously with docker versioning, isValid("<6") returned false, so filter.ts fell through to the semver fallback at L121: semver.satisfies("6.0.1", "<6") → false → correctly blocked ✅

Suggested fix

parseRange() should reject strings that aren't valid floating tags. The existing /^\d+$/ check is close but only used for the major-only branch. A guard at the top would fix it:

function parseRange(input: string): Range | null {
  const stripped = massageValue(input);
  // Only accept valid floating tags: "1", "1.2" (with optional "v" prefix, handled by massageValue)
  // Reject semver range operators that semver.coerce() would incorrectly extract numbers from
  if (!regEx(/^\d+(\.\d+)?$/).test(stripped)) {
    return null;
  }
  // ... rest of existing logic
}

Minimal reproduction

Use this renovate.json in any repo that has a GitHub Actions workflow referencing an action with a major version ≥6:

{
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": ["config:recommended"],
    "packageRules": [
        {
            "description": "Block actions/checkout v6+",
            "matchManagers": ["github-actions"],
            "matchPackageNames": ["actions/checkout"],
            "allowedVersions": "<6"
        }
    ]
}

With a workflow file like .github/workflows/build.yml:

name: Build
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

Expected: No PR created for actions/checkout v6, because allowedVersions: "<6" blocks it.

Actual: Renovate creates a PR to update actions/checkout from v5 to v6.

This affects any allowedVersions using semver range syntax (<N, >=N, ~N, ^N) on GitHub Actions dependencies.

Workaround

Using a regex for allowedVersions bypasses the versioning entirely (first priority in filter.ts):

"allowedVersions": "/^v?[0-5]/"

Logs (if relevant)

Not applicable, found by AI investigation without access to logs. If needed I can find some though.

[jamietanna]

Thanks - should be fixed by #42831