semver mode sometimes includes a version for latest, even though that is not a semver version number

[cfryanr]

Describe the bug

When creating a resource like this:

  - name: golang-image
    type: registry-image
    icon: docker
    source:
      repository: docker.io/golang

I would expect that the only versions detected of this resource would be semver version numbers, as described in https://github.com/concourse/registry-image-resource#check-step-check-script-without-tag-or-tag_regex-discover-semver-tags.

When initially creating the pipeline, this works as expected. The only versions initially detected for this resource are semver numbers.

However, after the pipeline has been running for some days, eventually the version tag latest appears in the resource's list of versions, even though latest is not a semver version tag. This confuses any job which was expecting the resource to behave as documented, and can result in incorrect behavior of jobs in a pipeline.

For example:

Note that in the above screenshot, the digests of latest and 1.21.5 do not match. This is because the golang image for tag 1.21.5 on dockerhub really does change its digest every few days/weeks. This unfortunate behavior of this particular container image might be contributing to the bug.

Reproduction steps

The following pipeline should reproduce this behavior.

resource_types:

  - name: registry-image
    type: registry-image
    source:
      repository: concourse/registry-image-resource
      tag: latest

resources:

  - name: golang-image
    type: registry-image
    icon: docker
    source:
      repository: docker.io/golang
      # Note that this does not configure "tag" or "tag_regex", so it should behave as described by
      # https://github.com/concourse/registry-image-resource#check-step-check-script-without-tag-or-tag_regex-discover-semver-tags
      # Specifically, it should only detect "tags which contain semver version numbers".
      # However, if this pipeline is allowed to run long enough, the below job will eventually fail because this
      # resource will eventually include a version for "latest", which is not a semver version number.

  - name: daily
    type: time
    icon: calendar-clock
    source:
      location: America/Los_Angeles
      start: 1:00 AM
      stop: 2:00 AM
      days: [ Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday ]

jobs:

  - name: use-golang
    plan:
      - in_parallel:
          - get: daily
            trigger: true
          - get: golang-image
            params:
              skip_download: true
      - task: check-golang-image-version
        config:
          platform: linux
          image_resource:
            type: registry-image
            source:
              repository: docker.io/debian
              tag: stable-slim
          inputs:
            - name: golang-image
          run:
            dir: golang-image
            path: bash
            args:
              - "-c"
              - |
                set -xeuo pipefail
                tag="$(cat tag)"
                if [[ "$tag" == "latest" ]]; then exit 1; fi;

Expected behavior

I would expect the the golang-image resource described above would never detect a version for latest because latest is not a semver version number.

Additional context

Maybe it is related to this other reported bug? I'm not sure. #316

[cfryanr]

While running the above pipeline, I noticed that during the day yesterday the golang-image resource had a latest version. But by the time the job auto-triggered at 1 am that night, the latest version was gone from the resource and the job passed. So a better reproduction pipeline would auto-trigger the job more often to catch the problem while it is happening.