ci: tighten release-notes tag parser

Addresses defensive issues flagged on earlier revisions of this branch:

- Replace the single permissive TAG_RE with a per-component pattern map.
  Each component now only matches its own tag-prefix family
  (cuda-core-v*, cuda-pathfinder-v*, bare v* for cuda-bindings and
  cuda-python), so a cuda-core tag paired with --component cuda-pathfinder
  is rejected rather than silently quarried for the wrong notes file.
- Restrict the captured version to digit-prefixed word chars and dots so
  malformed inputs like "v../evil" or "v1/2/3" cannot flow into the
  joined notes path.
- Return exit code 2 on unparsable tags and component/prefix mismatches,
  matching the documented CLI contract. Only genuine missing/empty notes
  return 1.
- Route error output to stderr so stdout stays clean when the check is
  used as a CI gate.
- Add tests for the new rejection cases.

Author: cpcloud

ci/tools/check_release_notes.py

@@ -9,7 +9,7 @@
 Exit codes:
     0 — release notes present and non-empty (or .post version, skipped)
     1 — release notes missing or empty
-    2 — invalid arguments
+    2 — invalid arguments (including unparsable tag, or component/tag-prefix mismatch)
 """
 
 from __future__ import annotations
@@ -26,14 +26,31 @@
     "cuda-python": "cuda_python",
 }
 
-# Matches tags like "v13.1.0", "cuda-core-v0.7.0", "cuda-pathfinder-v1.5.2"
-TAG_RE = re.compile(r"^(?:cuda-\w+-)?v(.+)$")
+# Version characters are restricted to digit-prefixed word chars and dots, so
+# malformed inputs like "v../evil" or "v1/2/3" cannot flow into the notes path.
+_VERSION_PATTERN = r"\d[\w.]*"
+
+# Each component has exactly one valid tag-prefix form. cuda-bindings and
+# cuda-python share the bare "v<version>" namespace (setuptools-scm lookup).
+COMPONENT_TO_TAG_RE: dict[str, re.Pattern[str]] = {
+    "cuda-bindings": re.compile(rf"^v(?P<version>{_VERSION_PATTERN})$"),
+    "cuda-python": re.compile(rf"^v(?P<version>{_VERSION_PATTERN})$"),
+    "cuda-core": re.compile(rf"^cuda-core-v(?P<version>{_VERSION_PATTERN})$"),
+    "cuda-pathfinder": re.compile(rf"^cuda-pathfinder-v(?P<version>{_VERSION_PATTERN})$"),
+}
+
 
+def parse_version_from_tag(git_tag: str, component: str) -> str | None:
+    """Extract the version string from a tag, given the target component.
 
-def parse_version_from_tag(git_tag: str) -> str | None:
-    """Extract the bare version string (e.g. '13.1.0') from a git tag."""
-    m = TAG_RE.match(git_tag)
-    return m.group(1) if m else None
+    Returns None if the tag does not match the component's expected prefix
+    or contains characters outside the allowed version set.
+    """
+    pattern = COMPONENT_TO_TAG_RE.get(component)
+    if pattern is None:
+        return None
+    m = pattern.match(git_tag)
+    return m.group("version") if m else None
 
 
 def is_post_release(version: str) -> bool:
@@ -47,20 +64,20 @@ def notes_path(package: str, version: str) -> str:
 def check_release_notes(git_tag: str, component: str, repo_root: str = ".") -> list[tuple[str, str]]:
     """Return a list of (path, reason) for missing or empty release notes.
 
-    Returns an empty list when notes are present and non-empty.
+    Returns an empty list when notes are present and non-empty, or when the
+    tag is a .post release (no new notes required).
     """
-    version = parse_version_from_tag(git_tag)
+    if component not in COMPONENT_TO_PACKAGE:
+        return [("<component>", f"unknown component '{component}'")]
+
+    version = parse_version_from_tag(git_tag, component)
     if version is None:
-        return [("<tag>", f"cannot parse version from tag '{git_tag}'")]
+        return [("<tag>", f"cannot parse version from tag '{git_tag}' for component '{component}'")]
 
     if is_post_release(version):
         return []
 
-    package = COMPONENT_TO_PACKAGE.get(component)
-    if package is None:
-        return [("<component>", f"unknown component '{component}'")]
-
-    path = notes_path(package, version)
+    path = notes_path(COMPONENT_TO_PACKAGE[component], version)
     full = os.path.join(repo_root, path)
     if not os.path.isfile(full):
         return [(path, "missing")]
@@ -76,8 +93,15 @@ def main(argv: list[str] | None = None) -> int:
     parser.add_argument("--repo-root", default=".")
     args = parser.parse_args(argv)
 
-    version = parse_version_from_tag(args.git_tag)
-    if version and is_post_release(version):
+    version = parse_version_from_tag(args.git_tag, args.component)
+    if version is None:
+        print(
+            f"ERROR: tag {args.git_tag!r} does not match the expected format for component {args.component!r}.",
+            file=sys.stderr,
+        )
+        return 2
+
+    if is_post_release(version):
         print(f"Post-release tag ({args.git_tag}), skipping release-notes check.")
         return 0
 
@@ -86,10 +110,10 @@ def main(argv: list[str] | None = None) -> int:
         print(f"Release notes present for tag {args.git_tag}, component {args.component}.")
         return 0
 
-    print(f"ERROR: missing or empty release notes for tag {args.git_tag}:")
+    print(f"ERROR: missing or empty release notes for tag {args.git_tag}:", file=sys.stderr)
     for path, reason in problems:
-        print(f"  - {path} ({reason})")
-    print("Add versioned release notes before releasing.")
+        print(f"  - {path} ({reason})", file=sys.stderr)
+    print("Add versioned release notes before releasing.", file=sys.stderr)
     return 1
 
 

ci/tools/tests/test_check_release_notes.py

@@ -16,23 +16,53 @@
 
 
 class TestParseVersionFromTag:
-    def test_plain_tag(self):
-        assert parse_version_from_tag("v13.1.0") == "13.1.0"
+    def test_plain_tag_bindings(self):
+        assert parse_version_from_tag("v13.1.0", "cuda-bindings") == "13.1.0"
+
+    def test_plain_tag_python(self):
+        assert parse_version_from_tag("v13.1.0", "cuda-python") == "13.1.0"
 
     def test_component_prefix_core(self):
-        assert parse_version_from_tag("cuda-core-v0.7.0") == "0.7.0"
+        assert parse_version_from_tag("cuda-core-v0.7.0", "cuda-core") == "0.7.0"
 
     def test_component_prefix_pathfinder(self):
-        assert parse_version_from_tag("cuda-pathfinder-v1.5.2") == "1.5.2"
+        assert parse_version_from_tag("cuda-pathfinder-v1.5.2", "cuda-pathfinder") == "1.5.2"
 
     def test_post_release(self):
-        assert parse_version_from_tag("v12.6.2.post1") == "12.6.2.post1"
+        assert parse_version_from_tag("v12.6.2.post1", "cuda-bindings") == "12.6.2.post1"
 
     def test_invalid_tag(self):
-        assert parse_version_from_tag("not-a-tag") is None
+        assert parse_version_from_tag("not-a-tag", "cuda-core") is None
 
     def test_no_v_prefix(self):
-        assert parse_version_from_tag("13.1.0") is None
+        assert parse_version_from_tag("13.1.0", "cuda-bindings") is None
+
+    def test_component_prefix_mismatch(self):
+        # cuda-core-v* must not be accepted for component=cuda-pathfinder
+        assert parse_version_from_tag("cuda-core-v0.7.0", "cuda-pathfinder") is None
+
+    def test_bare_v_rejected_for_core(self):
+        # bare v* belongs to cuda-bindings/cuda-python, not cuda-core
+        assert parse_version_from_tag("v0.7.0", "cuda-core") is None
+
+    def test_unknown_component(self):
+        assert parse_version_from_tag("v13.1.0", "bogus") is None
+
+    def test_path_traversal_rejected(self):
+        assert parse_version_from_tag("v1.0.0/../evil", "cuda-bindings") is None
+
+    def test_path_separator_rejected(self):
+        assert parse_version_from_tag("v1/2/3", "cuda-bindings") is None
+
+    def test_leading_dot_rejected(self):
+        assert parse_version_from_tag("v.1.0", "cuda-bindings") is None
+
+    def test_whitespace_rejected(self):
+        assert parse_version_from_tag("v1.0.0 ", "cuda-bindings") is None
+
+    def test_trailing_suffix_rejected(self):
+        # \w permits alphanumerics + underscore only; hyphens and shell meta-chars are out
+        assert parse_version_from_tag("v1.0.0-extra", "cuda-bindings") is None
 
 
 class TestIsPostRelease:
@@ -79,6 +109,17 @@ def test_invalid_tag(self, tmp_path):
         assert len(problems) == 1
         assert "cannot parse" in problems[0][1]
 
+    def test_component_prefix_mismatch(self, tmp_path):
+        # Pass a cuda-core tag with component=cuda-pathfinder; must be rejected.
+        problems = check_release_notes("cuda-core-v0.7.0", "cuda-pathfinder", str(tmp_path))
+        assert len(problems) == 1
+        assert "cannot parse" in problems[0][1]
+
+    def test_unknown_component(self, tmp_path):
+        problems = check_release_notes("v13.1.0", "bogus", str(tmp_path))
+        assert len(problems) == 1
+        assert "unknown component" in problems[0][1]
+
     def test_plain_v_tag(self, tmp_path):
         self._make_notes(tmp_path, "cuda_python", "13.1.0")
         problems = check_release_notes("v13.1.0", "cuda-python", str(tmp_path))
@@ -100,3 +141,24 @@ def test_failure(self, tmp_path):
     def test_post_skip(self, tmp_path):
         rc = main(["--git-tag", "v12.6.2.post1", "--component", "cuda-bindings", "--repo-root", str(tmp_path)])
         assert rc == 0
+
+    def test_unparsable_tag_returns_2(self, tmp_path):
+        rc = main(["--git-tag", "not-a-tag", "--component", "cuda-core", "--repo-root", str(tmp_path)])
+        assert rc == 2
+
+    def test_path_traversal_returns_2(self, tmp_path):
+        rc = main(["--git-tag", "v1.0.0/../evil", "--component", "cuda-bindings", "--repo-root", str(tmp_path)])
+        assert rc == 2
+
+    def test_component_prefix_mismatch_returns_2(self, tmp_path):
+        rc = main(
+            [
+                "--git-tag",
+                "cuda-core-v0.7.0",
+                "--component",
+                "cuda-pathfinder",
+                "--repo-root",
+                str(tmp_path),
+            ]
+        )
+        assert rc == 2