Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 14 additions & 8 deletions .github/workflows/build-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
push:
branches: [ main, ghactions ]

permissions:
contents: read

jobs:
build-main:
name: Build and push a main snapshot image
Expand Down Expand Up @@ -33,8 +36,10 @@ jobs:

- name: Set image registry env
run: |
echo IMAGE_REGISTRY=$(echo ${{ secrets.IMAGE_REGISTRY }} | cut -d '/' -f 1) >> $GITHUB_ENV
echo IMAGE_REPO=$(echo ${{ secrets.IMAGE_REGISTRY }} | cut -d '/' -f 2) >> $GITHUB_ENV
echo "IMAGE_REGISTRY=$(echo "${_IMAGE_REGISTRY}" | cut -d '/' -f 1)" >> "${GITHUB_ENV}"
echo "IMAGE_REPO=$(echo "${_IMAGE_REGISTRY}" | cut -d '/' -f 2)" >> "${GITHUB_ENV}"
env:
_IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}

Comment on lines +39 to 43

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Root cause: registry parsing truncates namespace in both workflow files.

Both .github/workflows/build-main.yml and .github/workflows/build-release.yml derive IMAGE_REPO with cut -d '/' -f 2, which loses nested path segments and can push to unintended repositories. Use “first segment as registry, remainder as repo” parsing in both files, with format validation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-main.yml around lines 39 - 43, The workflow
currently splits _IMAGE_REGISTRY with cut -d '/' -f 1 and -f 2 which drops any
nested repo path; change the parsing so IMAGE_REGISTRY = first segment before
the first '/' and IMAGE_REPO = everything after the first '/' (i.e., take the
remainder, not only the second segment) and add validation to ensure
_IMAGE_REGISTRY contains at least one '/' and non-empty repo portion; update the
commands that set IMAGE_REGISTRY/IMAGE_REPO in both places where _IMAGE_REGISTRY
is used (reference the environment var _IMAGE_REGISTRY and outputs written to
GITHUB_ENV for IMAGE_REGISTRY and IMAGE_REPO) so nested namespaces are preserved
and the workflow fails early on invalid format.

- name: Build Operator Image
id: build-operator-image
Expand All @@ -61,10 +66,7 @@ jobs:
- name: Build Bundle
id: build-bundle
run: |
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} \
IMAGE_REPO=${{ env.IMAGE_REPO }} \
RELEASE_TAG=${{ env.RELEASE_TAG }} \
VERSION=${{ env.RELEASE_TAG }} \
VERSION="${RELEASE_TAG}" \
make bundle

- name: Build Bundle Image
Expand All @@ -86,5 +88,9 @@ jobs:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}

- run: echo "Operator Image pushed to ${{ steps.push-operator-image.outputs.registry-paths }}"
- run: echo "Bundle Image pushed to ${{ steps.push-bundle-image.outputs.registry-paths }}"
- run: |
echo "Operator Image pushed to ${OPERATOR_IMAGE_REGISTRY_PATHS}"
echo "Bundle Image pushed to ${BUNDLE_IMAGE_REGISTRY_PATHS}"
env:
OPERATOR_IMAGE_REGISTRY_PATHS: ${{ steps.push-operator-image.outputs.registry-paths }}
BUNDLE_IMAGE_REGISTRY_PATHS: ${{ steps.push-bundle-image.outputs.registry-paths }}
28 changes: 18 additions & 10 deletions .github/workflows/build-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
branches:
- ghactions

permissions:
contents: read

jobs:
build-release:
name: Build and push a tag image
Expand All @@ -24,9 +27,13 @@ jobs:
id: go
- name: Set Env Tags
run: |
echo RELEASE_TAG=$(echo $GITHUB_REF | cut -d '/' -f 3) >> $GITHUB_ENV
echo IMAGE_REGISTRY=$(echo ${{ secrets.IMAGE_REGISTRY }} | cut -d '/' -f 1) >> $GITHUB_ENV
echo IMAGE_REPO=$(echo ${{ secrets.IMAGE_REGISTRY }} | cut -d '/' -f 2) >> $GITHUB_ENV
{
echo "RELEASE_TAG=$(echo "${GITHUB_REF}" | cut -d '/' -f 3)"
echo "IMAGE_REGISTRY=$(echo "${_IMAGE_REGISTRY}" | cut -d '/' -f 1)"
echo "IMAGE_REPO=$(echo "${_IMAGE_REGISTRY}" | cut -d '/' -f 2)"
} >> "${GITHUB_ENV}"
env:
_IMAGE_REGISTRY: ${{ secrets.IMAGE_REGISTRY }}

- name: Build Operator Image
id: build-operator-image
Expand All @@ -52,11 +59,8 @@ jobs:
- name: Build Bundle
id: build-bundle
run: |
IMAGE_REGISTRY=${{ env.IMAGE_REGISTRY }} \
IMAGE_REPO=${{ env.IMAGE_REPO }} \
RELEASE_TAG=${{ env.RELEASE_TAG }} \
VERSION=${{ env.RELEASE_TAG }} \
USE_IMAGE_DIGESTS=true \
VERSION="${RELEASE_TAG}" \
USE_IMAGE_DIGESTS="true" \
make bundle

# This is a very naive implementation. Mainly for PoC
Expand Down Expand Up @@ -85,5 +89,9 @@ jobs:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}

- run: echo "Operator Image pushed to ${{ steps.push-operator-image.outputs.registry-paths }}"
- run: echo "Bundle Image pushed to ${{ steps.push-bundle-image.outputs.registry-paths }}"
- run: |
echo "Operator Image pushed to ${OPERATOR_IMAGE_REGISTRY_PATHS}"
echo "Bundle Image pushed to ${BUNDLE_IMAGE_REGISTRY_PATHS}"
env:
OPERATOR_IMAGE_REGISTRY_PATHS: ${{ steps.push-operator-image.outputs.registry-paths }}
BUNDLE_IMAGE_REGISTRY_PATHS: ${{ steps.push-bundle-image.outputs.registry-paths }}
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
sanity:
name: sanity
Expand Down