Skip to content

fix(rust): use ERE-compatible regex in start_release.sh version check#2351

Merged
josecorella merged 3 commits into
mainfrom
jocorell/release-rust
Jul 1, 2026
Merged

fix(rust): use ERE-compatible regex in start_release.sh version check#2351
josecorella merged 3 commits into
mainfrom
jocorell/release-rust

Conversation

@josecorella

Copy link
Copy Markdown
Contributor

The version check used the PCRE escape \d in an egrep pattern:

REGEX_VERSION='^\d+.\d+.\d+$'
MATCHES=$(echo "$1" | egrep $REGEX_VERSION | wc -l)

egrep uses POSIX Extended Regular Expressions, which do not support \d. The pattern therefore matched nothing, every input was treated as invalid, and the script always exited with:

Version "X.Y.Z" must be N.N.N

This caused the 'Run start_release.sh and open a release PR' job to fail with exit code 1 even though VERSION=1.3.0 had already passed the workflow's own pre-check (which uses bash regex ^[0-9]+.[0-9]+.[0-9]+$).

Replace \d with [0-9] so the regex actually matches N.N.N, and quote the variable expansion in egrep for safety.

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

The version check used the PCRE escape \d in an egrep pattern:

  REGEX_VERSION='^\d+\.\d+\.\d+$'
  MATCHES=$(echo "$1" | egrep $REGEX_VERSION | wc -l)

egrep uses POSIX Extended Regular Expressions, which do not support \d.
The pattern therefore matched nothing, every input was treated as
invalid, and the script always exited with:

  Version "X.Y.Z" must be N.N.N

This caused the 'Run start_release.sh and open a release PR' job to fail
with exit code 1 even though VERSION=1.3.0 had already passed the
workflow's own pre-check (which uses bash regex ^[0-9]+\.[0-9]+\.[0-9]+$).

Replace \d with [0-9] so the regex actually matches N.N.N, and quote the
variable expansion in egrep for safety.
@josecorella josecorella requested a review from a team as a code owner June 30, 2026 21:44
@josecorella

Copy link
Copy Markdown
Contributor Author

kessplas
kessplas previously approved these changes Jun 30, 2026
… crate

CI's 'no duplicate aws-lc native crate' check failed on the default
build with:

    aws-lc-sys v0.41.0
    └── aws-db-esdk (direct dependency)

    aws-lc-sys v0.42.0
    └── aws-lc-rs v1.17.1
        └── aws-db-esdk (transitive via aws-lc-rs/aws-sdk-*)

Our Cargo.toml pinned the direct optional dep at aws-lc-sys = "0.41",
while aws-lc-rs 1.17.1 (which we depend on, and which the AWS SDK
crates pull in transitively) resolves aws-lc-sys 0.42. Cargo cannot
unify across a semver-major boundary, so two copies of aws-lc-sys
compile in the same build.

Beyond the ~2x native C build cost, this is also a correctness/safety
concern: the SDK's raw FFI path (aws_lc_sys_impl::*) binds to the
version WE declare, while aws-lc-rs binds to the version it pulls in,
so the raw path can drift onto a stale/vulnerable AWS-LC independently
of aws-lc-rs.

Bump the direct dep to aws-lc-sys = "0.42" so it unifies with the
version aws-lc-rs resolves to. aws-lc-fips-sys is unchanged; the fips
build was not flagged by the duplicate check.
@josecorella josecorella merged commit e27d76f into main Jul 1, 2026
70 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants