amp-devcontainer/.github/workflows/wc-sanitize-image-name.yml at eb8a54fe2a33bafe46c9f58fd6e62c1245367e96 · philips-software/amp-devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
name: Sanitize Image Name

on:
  workflow_call:
    inputs:
      image-name:
        required: true
        type: string
      registry:
        required: true
        type: string
      runner-labels:
        required: true
        type: string
    outputs:
      image-basename:
        description: The sanitized base name of the image (without registry or tag)
        value: ${{ jobs.sanitize.outputs.image-basename }}
      image-name:
        description: The sanitized name of the image (without registry or tag)
        value: ${{ jobs.sanitize.outputs.image-name }}
      fully-qualified-image-name:
        description: The fully qualified name of the image including registry (but without tag)
        value: ${{ jobs.sanitize.outputs.fully-qualified-image-name }}

permissions: {}

jobs:
  sanitize:
    name: Sanitize Image Name
    runs-on: ${{ fromJson(inputs.runner-labels) }}
    outputs:
      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
      image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
      fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
    steps:
      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
        with:
          disable-sudo-and-containers: true
          allowed-endpoints: >
            api.github.com:443
      - name: Sanitize image name
        id: sanitize-image-name
        env:
          IMAGE_NAME: ${{ inputs.image-name }}
        run: |
          set -Eeuo pipefail

          # Split all image name components (on '/') and sanitize each component independently.
          # Rules: lowercase; allowed chars a-z0-9._- ; collapse invalid sequences to single '-'; trim leading/trailing '-'.
          IFS='/' read -r -a PARTS <<< "$IMAGE_NAME"
          SANITIZED_PARTS=()

          for PART in "${PARTS[@]}"; do
            SANITIZED_PART=$(echo "$PART" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g' | sed -E 's/^-+|-+$//g')
            if [ -z "$SANITIZED_PART" ]; then
              echo "Invalid or empty component after sanitization in image component: '$PART', please correct your image name: '$IMAGE_NAME'" >&2
              exit 1
            fi
            SANITIZED_PARTS+=("$SANITIZED_PART")
          done

          SANITIZED_IMAGE_NAME=$(IFS='/'; echo "${SANITIZED_PARTS[*]}")
          SANITIZED_BASENAME=${SANITIZED_PARTS[-1]}
          echo "sanitized-image-name=$SANITIZED_IMAGE_NAME" >> "$GITHUB_OUTPUT"
          echo "sanitized-basename=$SANITIZED_BASENAME" >> "$GITHUB_OUTPUT"