You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jenkins: validate setup.sh inputs, pipefail in cgSign/Verify, lockfile cleanup
Five Copilot findings from the eleventh pass on PR #330:
- setup.sh: trim + validate user-supplied CHAINGUARD_ORG and
PUSH_REGISTRY (sanitize_env_value + validate_env_value helpers)
before persisting. Rejects empty, internal whitespace, and quotes —
all of which would silently break .env parsing by docker compose /
JCasC / bash `source`. Also re-validates values inherited from .env
so a hand-edited corruption surfaces at setup.sh entry rather than
mid-`terraform apply`.
- cgSign + cgVerify: switch the digest-resolution sh blocks from
`set -eu` to `set -eu -o pipefail` so a failing `docker image
inspect` mid-pipeline surfaces as the script's exit status rather
than being masked by the trailing `head -1` returning 0.
- teardown.sh: also remove iac/.terraform.lock.hcl and
harbor/terraform/.terraform.lock.hcl on cleanup. They're generated
by terraform init and gitignored, so a "full teardown" leaving them
behind contradicts the script's stated goal. (Preserved alongside
iac/terraform.tfstate when TF_DESTROY_FAILED so the user can retry.)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 commit comments