fix(example): fix setting INFRASTRUCTURE_REPO in resolve-env-vars step in backend_default_workflow.yml

AdrianAulbach · AdrianAulbach · commit 7ba42683f8b7 · 2026-04-21T13:40:54.000+02:00
add secret value validation to example backend_default_workflow.yml
diff --git a/.github/examples/backend/.github/workflows/backend_default_workflow.yml b/.github/examples/backend/.github/workflows/backend_default_workflow.yml
@@ -1,4 +1,4 @@
-name: "backend default workflow"
+name: "backend workflow"
 
 permissions:
   contents: write
@@ -44,6 +44,27 @@ jobs:
         run: |
           echo "resolving environment specific variables for environment ${{ needs.set-env.outputs.environment }}"
           echo "infrastructure_repo=${{ vars.INFRASTRUCTURE_REPO }}"
+          echo "infrastructure_repo=${{ vars.INFRASTRUCTURE_REPO }}" >> "$GITHUB_OUTPUT"
+
+  validate-secret-values:
+    runs-on: ubuntu-latest
+    needs: [ set-env, resolve-env-vars ]
+    environment:  ${{ needs.set-env.outputs.environment }}
+    steps:
+      - name: Validate secret values
+        env:
+          AWS_DEPLOYMENT_ROLE_ARN: ${{ secrets.AWS_DEPLOYMENT_ROLE_ARN }}
+          AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+        run: |
+          echo "Validating secret values for environment ${{ needs.set-env.outputs.environment }}"
+          AWS_ROLE_PATTERN='^arn:aws:iam::[0-9]{12}:role\/[A-Za-z0-9+=,.@_-]+$'
+          echo "Roles should match pattern: $AWS_ROLE_PATTERN"
+          if [[ ! "$AWS_DEPLOYMENT_ROLE_ARN" =~ $AWS_ROLE_PATTERN ]]; then
+            echo "Invalid AWS_DEPLOYMENT_ROLE_ARN, does not match pattern $AWS_ROLE_PATTERN"
+            echo "Secret value length: ${#AWS_DEPLOYMENT_ROLE_ARN}"
+            exit 1
+          fi
+          echo "All secret values are valid"
 
   backend-workflow:
     name: "."
@@ -63,8 +84,8 @@ jobs:
       semver-app-id: ${{vars.SEMVER_APP_ID}}
       gitleaks-app-id: ${{ vars.GH_ORG_GITLEAKS_APP_ID }}
       aws-region: ${{ vars.AWS_REGION }}
-      ecr-repository-name: 'agate-test-backend'
+      ecr-repository-name: 'agate-test-backend' # CHANGEME
       deployment-app-id: ${{ vars.PC_CORE_BLW_AGATE_DEV_DEPLOY_APP_ID}}
-      application-name: 'agate-test-backend'
+      application-name: 'agate-test-backend' # CHANGEME
       infrastructure_repo: ${{ needs.resolve-env-vars.outputs.infrastructure_repo }}
       github-organization: 'blw-ofag-ufag'
