fix: OCI filter pre-release tags

[jaredlueck]

What are you trying to accomplish?

This is an issue preventing our organization from leveraging dependabot for helm version updates, so I am proposing this fix.

Exclude prerelease-style tags from update candidates, so Dependabot does not propose unstable chart versions as normal upgrades.

This fixes the issue where tags such as 3.44.1-1.g585bce1 (and similar prerelease formats) were being treated as valid latest versions for Helm OCI dependencies.

Reproduction reference:
https://github.com/jaredlueck/dependabot-helm-issue/pull/1/changes

Main changes:

• Added OCI prerelease detection and filtering in Helm update checking.
• Added a regression test proving prerelease tags are ignored and a stable version is selected instead.

How will you know you've accomplished your goal?

• Run the dependabot CLI against the example repo and ensure the correct stable version is selected

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

This PR updates the Helm UpdateChecker to ignore semver prerelease-style OCI tags when computing update candidates, preventing unstable/branch-build tags from being selected as the latest chart version.

Changes:

• Add prerelease-tag detection for Helm OCI tags and filter those tags out from candidate versions.
• Add a regression spec ensuring prerelease-style tags are ignored and a stable tag is selected instead.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
helm/lib/dependabot/helm/update_checker.rb	Filters out OCI tags matching a prerelease-style regex before version validation/selection.
helm/spec/dependabot/helm/update_checker_spec.rb	Adds a spec case asserting prerelease-like OCI tags don’t affect latest_version.

[yeikel]

This may not be the right fix because some users may want to get these. What we implemented for gradle/maven is to detect what the current value is and suggest as needed. Can we try the same here?

[jaredlueck]

This may not be the right fix because some users may want to get these. What we implemented for gradle/maven is to detect what the current value is and suggest as needed. Can we try the same here?

I updated it so that if the current version is a pre-release then it will suggest a pre-release.

[Copilot]

Copilot's findings

Comments suppressed due to low confidence (1)

helm/lib/dependabot/helm/update_checker.rb:276

• wants_oci_prerelease_tags? checks the current version string directly, but OCI tags may represent + build metadata as _. If the current dependency version is stored in OCI tag form (with _), prerelease detection could incorrectly return false and cause prerelease updates to be filtered out. Normalizing dependency.version (e.g., tr('_', '+')) before calling oci_prerelease_tag? would make this robust.

      sig { returns(T::Boolean) }
      def wants_oci_prerelease_tags?
        current_version = dependency.version
        return false unless current_version

        oci_prerelease_tag?(current_version)
      end

• Files reviewed: 2/2 changed files
• Comments generated: 1

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[jaredlueck]

@yeikel are you able to review or do you know who reviews typically