fix: harden docker tag generation inputs and validation

Added explicit validation for IMAGE_NAME and DEFAULT_TAG to prevent empty values Implemented per-tag validation loop to catch empty or malformed tags before build Added debug step to echo generated tags immediately before build-push-action Ensures invalid Docker references are caught early with descriptive errors
2026-02-09 00:25:50 +00:00
parent 52bd05004e
commit fe580d9e23
4 changed files with 334 additions and 0 deletions
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@@ -157,6 +157,10 @@ jobs:
      - name: Normalize image name
        run: |
          IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
+          if [ -z "$IMAGE_NAME" ]; then
+            echo "::error::IMAGE_NAME is empty!"
+            exit 1
+          fi
          echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"

      - name: Determine image push policy
@@ -176,6 +180,11 @@ jobs:
        env:
          PR_HEAD_REF: ${{ github.head_ref }}
        run: |
+          if [ -z "$IMAGE_NAME" ]; then
+            echo "::error::IMAGE_NAME is empty!"
+            exit 1
+          fi
+
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DEFAULT_TAG="sha-${SHORT_SHA}"
          BRANCH_NAME="${{ github.ref_name }}"
@@ -191,6 +200,11 @@ jobs:
            fi
          fi

+          if [ -z "$DEFAULT_TAG" ]; then
+            echo "::error::DEFAULT_TAG is empty!"
+            exit 1
+          fi
+
          sanitize_tag() {
            local raw="$1"
            local max_len="$2"
@@ -266,6 +280,24 @@ jobs:
            TAGS+=("${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly")
          fi

+          if [ ${#TAGS[@]} -eq 0 ]; then
+            echo "::error::No tags generated!"
+            exit 1
+          fi
+
+          for tag in "${TAGS[@]}"; do
+            if [ -z "$tag" ]; then
+              echo "::error::Generated tag is empty!"
+              exit 1
+            fi
+            if [[ "$tag" =~ [[:space:]] ]]; then
+              echo "::error::Generated tag contains whitespace: $tag"
+              exit 1
+            fi
+          done
+
+          printf '%s\n' "${TAGS[@]}"
+
          {
            echo "tags<<EOF"
            printf '%s\n' "${TAGS[@]}"
@@ -295,6 +327,9 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

+      - name: Echo generated tags
+        run: echo "${{ steps.tags.outputs.tags }}"
+
      - name: Build and push Docker image
        id: push
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6