Skip to content

Commit e66b10f

Browse files
dcolinadcolina
committed
fix: improve deployment-guard error messages and repository validation
## Changes ### Error Message Improvements (Issue #339) - Add clear "REASON:" prefix to all validation failures for traceability - Remove "how to fix" suggestions, replace with validation rules reminder - Improve error messages to state WHAT failed and WHY ### Bug Fix: Repository Validation with Registry Prefix - Fix repository validation to extract base repository name - Handle images with registry prefix (e.g., mirror.gcr.io/dotcms/dotcms) - Compare both full repository and base repository with allowlist - Add debug logging to show comparison process ### Specific Error Message Changes 1. **File Allowlist**: "BLOCKED: File allowlist validation failed" - States which files are not in allowlist - Shows pattern requirements 2. **Image-Only**: "BLOCKED: Image-only validation failed" - Clarifies only image attribute can be modified - Lists what changes are not allowed 3. **Image Validation**: "BLOCKED: Image validation failed" - Lists all validation rules (repository, version, existence, downgrades) - Explains evergreen version requirements - Removes remediation suggestions ### Examples Before: "❌ Repository not allowed: mirror.gcr.io/dotcms/dotcms" After: Extracts "dotcms/dotcms" and matches against allowlist ✅ Related to dotCMS/deutschebank-infrastructure#339
1 parent 305561b commit e66b10f

1 file changed

Lines changed: 55 additions & 20 deletions

File tree

.github/workflows/deployment-guard.yml

Lines changed: 55 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -376,7 +376,9 @@ jobs:
376376
377377
# 1. Validate format (repo/name:tag)
378378
if ! [[ "$image" =~ ^[a-zA-Z0-9_/-]+:[a-zA-Z0-9._-]+$ ]]; then
379-
echo "❌ Invalid image format: $image"
379+
echo "❌ Image format validation failed"
380+
echo " Image: $image"
381+
echo " REASON: Invalid image format (expected format: repository/name:tag)"
380382
echo "false" > /tmp/validation_failed.txt
381383
continue
382384
fi
@@ -385,6 +387,7 @@ jobs:
385387
# 2. Extract repository and tag
386388
REPO="${image%:*}"
387389
TAG="${image##*:}"
390+
echo " Full image: $image"
388391
echo " Repository: $REPO"
389392
echo " Tag: $TAG"
390393
@@ -395,14 +398,37 @@ jobs:
395398
for allowed_repo in "${ALLOWED[@]}"; do
396399
# Trim whitespace
397400
allowed_repo=$(echo "$allowed_repo" | xargs)
398-
if [[ "$REPO" == "$allowed_repo" ]]; then
401+
402+
# Extract base repository name (handle both with and without registry prefix)
403+
# Examples:
404+
# mirror.gcr.io/dotcms/dotcms -> dotcms/dotcms
405+
# gcr.io/project/dotcms/dotcms -> dotcms/dotcms
406+
# dotcms/dotcms -> dotcms/dotcms
407+
BASE_REPO="$REPO"
408+
if [[ "$REPO" =~ / ]]; then
409+
# If REPO contains registry (has multiple slashes or starts with known registries)
410+
if [[ "$REPO" =~ ^[a-z0-9.-]+\.[a-z]{2,}/.*/ ]] || [[ "$REPO" =~ ^gcr\.io/ ]] || [[ "$REPO" =~ ^.*\.gcr\.io/ ]]; then
411+
# Extract everything after the registry domain
412+
BASE_REPO="${REPO#*/}"
413+
# If there are still slashes, get the last two parts (org/repo)
414+
if [[ "$BASE_REPO" =~ / ]]; then
415+
BASE_REPO="${BASE_REPO#*/}"
416+
fi
417+
fi
418+
fi
419+
420+
echo " Comparing '$BASE_REPO' with allowed '$allowed_repo'"
421+
if [[ "$BASE_REPO" == "$allowed_repo" ]] || [[ "$REPO" == "$allowed_repo" ]]; then
399422
REPO_ALLOWED=true
423+
echo " ✓ Match found"
400424
break
401425
fi
402426
done
403427
404428
if [ "$REPO_ALLOWED" = false ]; then
405-
echo "❌ Repository not allowed: $REPO"
429+
echo "❌ Repository validation failed"
430+
echo " Repository: $REPO"
431+
echo " REASON: Repository is not in the allowlist"
406432
echo " Allowed repositories: $ALLOWED_REPOS"
407433
echo "false" > /tmp/validation_failed.txt
408434
continue
@@ -414,9 +440,10 @@ jobs:
414440
415441
# 4. Validate tag matches version pattern
416442
if ! [[ "$TAG" =~ $VERSION_PATTERN ]]; then
417-
echo "❌ Tag does not match version pattern: $TAG"
418-
echo " Expected pattern: $VERSION_PATTERN"
419-
echo " This typically means: date-based versions YY.MM.DD where YY >= 25"
443+
echo "❌ Version pattern validation failed"
444+
echo " Tag: $TAG"
445+
echo " Required pattern: $VERSION_PATTERN"
446+
echo " REASON: Only evergreen date-based versions are allowed (YY.MM.DD where YY >= 25, with optional suffix)"
420447
echo "false" > /tmp/validation_failed.txt
421448
continue
422449
fi
@@ -428,7 +455,9 @@ jobs:
428455
if docker manifest inspect "$image" >/dev/null 2>&1; then
429456
echo "✅ Image exists in registry"
430457
else
431-
echo "❌ Image does not exist in registry: $image"
458+
echo "❌ Registry existence validation failed"
459+
echo " Image: $image"
460+
echo " REASON: Image does not exist in the Docker registry"
432461
echo "false" > /tmp/validation_failed.txt
433462
continue
434463
fi
@@ -511,40 +540,46 @@ jobs:
511540
512541
# Check file allowlist (if enabled)
513542
if [ "$ENABLE_FILE_ALLOWLIST" = "true" ] && [ "$FILES_CHECK" != "pass" ]; then
514-
echo "❌ BLOCKED: Modified files are not in the allowlist"
543+
echo "❌ BLOCKED: File allowlist validation failed"
515544
echo ""
516-
echo "Only the following files can be modified:"
517-
echo " - ${{ inputs.allowed_files_pattern }}"
545+
echo "REASON: One or more modified files are not in the allowlist"
546+
echo ""
547+
echo "Validation Rule: Only files matching the following pattern can be modified:"
548+
echo " - Pattern: ${{ inputs.allowed_files_pattern }}"
518549
echo ""
519-
echo "Please ensure you're only modifying allowed files."
520550
exit 1
521551
fi
522552
523553
# Check image-only changes (if enabled)
524554
if [ "$ENABLE_IMAGE_ONLY" = "true" ] && [ "$IMAGE_ONLY_CHECK" != "pass" ]; then
525-
echo "❌ BLOCKED: Changes detected beyond the image field"
555+
echo "❌ BLOCKED: Image-only validation failed"
556+
echo ""
557+
echo "REASON: Changes detected beyond the container image field"
526558
echo ""
527-
echo "Only the container image field can be modified."
528-
echo "No other changes are allowed (resources, env vars, volumes, etc.)"
559+
echo "Validation Rule: Only the container image attribute can be modified"
560+
echo " - Allowed: Changes to container image field only"
561+
echo " - Not allowed: resources, env vars, volumes, replicas, or any other configuration changes"
529562
echo ""
530-
echo "Please revert any non-image changes and try again."
531563
exit 1
532564
fi
533565
534566
# Check image validation (if enabled)
535567
if [ "$ENABLE_IMAGE_VALIDATION" = "true" ] && [ "$IMAGE_VALIDATION" != "pass" ]; then
536568
echo "❌ BLOCKED: Image validation failed"
537569
echo ""
538-
echo "Image validation requirements:"
570+
echo "REASON: The specified image does not meet one or more validation requirements"
571+
echo ""
572+
echo "Validation Rules:"
539573
if [ -n "${{ inputs.allowed_image_repositories }}" ]; then
540-
echo " - Repository must be: ${{ inputs.allowed_image_repositories }}"
574+
echo " - Repository: Only images from '${{ inputs.allowed_image_repositories }}' are allowed"
541575
fi
542-
echo " - Tag must match pattern: ${{ inputs.allowed_version_pattern }}"
576+
echo " - Version format: Must match pattern '${{ inputs.allowed_version_pattern }}'"
577+
echo " (Evergreen date-based versions only: YY.MM.DD where YY >= 25, with optional suffix)"
543578
if [ "${{ inputs.verify_image_existence }}" = "true" ]; then
544-
echo " - Image must exist in the registry"
579+
echo " - Registry existence: Image must exist in the Docker registry"
545580
fi
581+
echo " - No downgrades: Version must be equal to or newer than the current deployed version"
546582
echo ""
547-
echo "Please use a valid image and try again."
548583
exit 1
549584
fi
550585

0 commit comments

Comments
 (0)