Skip to content

Commit adb854d

Browse files
committed
Validate and Construct sync Parameters
Why these changes are being introduced: First, we want to ensure that the only additional parameters supplied by the caller workflow are `--include` and `--exclude` parameters. Second, since we pass the parameters via an `env:` block, we have to be extra careful with double-quotes (which are required by the `aws s3 sync` command, but typically get stripped when expanded in a bash script). How these changes are implemented: * Add a block to the validation step to throw an error if there is any other parameter in the SYNC_PARAMS input outside of `--include` and `--exclude` * If the SYNC_PARAMS is valid, merge it together with the other stock `--exclude` parameters and set one string in the GITHUB_ENV with the full list of inclues and excludes * Add the `eval` command to properly expand the `aws s3 sync` command and preserve the double-quotes where they are required Side effects: None.
1 parent a4e2620 commit adb854d

1 file changed

Lines changed: 26 additions & 11 deletions

File tree

.github/workflows/cdn-shared-publish.yml

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -65,14 +65,17 @@ jobs:
6565
- name: Validate
6666
# Verify that the DOMAIN & ENVIRONMENT inputs are using the correct
6767
# values. Verify that the SOURCE_PATH and TARGET_PATH inputs are
68-
# formatted correctly.
68+
# formatted correctly and ensure this supports legacy caller workflows.
69+
# Validate the SYNC_PARAMS input to only allow `--exclude` and
70+
# `--include` parameters.
6971
id: validate
7072
env:
7173
DOMAIN: ${{ inputs.DOMAIN }}
7274
ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
7375
SOURCE_PATH: ${{ inputs.SOURCE_PATH }}
7476
S3URI: ${{ inputs.S3URI }}
7577
TARGET_PATH: ${{ inputs.TARGET_PATH }}
78+
SYNC_PARAMS: ${{ inputs.SYNC_PARAMS }}
7679
run: |
7780
case "$DOMAIN" in
7881
standard|custom)
@@ -98,6 +101,7 @@ jobs:
98101
echo "Invalid SOURCE_PATH=$SOURCE_PATH, exiting."
99102
exit 1
100103
fi
104+
101105
if [[ "$S3URI" == "" ]]; then
102106
if [[ "${TARGET_PATH:0:1}" == "/" ]]; then
103107
echo "Valid TARGET_PATH=$TARGET_PATH, proceed."
@@ -106,7 +110,7 @@ jobs:
106110
exit 1
107111
fi
108112
else
109-
echo "Legacy caller workflow that passed ab S3_URI value."
113+
echo "Legacy caller workflow that passed an S3_URI value."
110114
if [[ "$DOMAIN" == "standard" ]]; then
111115
echo "LEGACY_TARGET_PATH=/$(echo "$S3URI" | awk -F/ '{print $5}')" >> $GITHUB_ENV
112116
echo "LEGACY_SOURCE_PATH=$(echo "$S3URI" | awk -F/ '{print $5}')" >> $GITHUB_ENV
@@ -116,6 +120,20 @@ jobs:
116120
echo "LEGACY=true" >> $GITHUB_ENV
117121
fi
118122
123+
if [[ -n "$SYNC_PARAMS" ]]; then
124+
temp_params="${SYNC_PARAMS//--include/}"
125+
temp_params="${temp_params//--exclude/}"
126+
# If there's still a -- in there, it's an invalid flag
127+
if [[ $temp_params =~ -- ]]; then
128+
echo "Invalid SYNC_PARAMS: only --include and --exclude parameters are allowed, exiting."
129+
exit 1
130+
fi
131+
echo "Valid SYNC_PARAMS, proceed."
132+
echo "VALID_SYNC_PARAMS=--exclude \".github/*\" --exclude \".git/*\" --exclude \".gitignore\" $SYNC_PARAMS" >> $GITHUB_ENV
133+
else
134+
echo "VALID_SYNC_PARAMS=--exclude \".github/*\" --exclude \".git/*\" --exclude \".gitignore\"" >> $GITHUB_ENV
135+
fi
136+
119137
- name: Set Environment
120138
# Prepare environment variables for the synchronization job.
121139
id: env
@@ -151,9 +169,9 @@ jobs:
151169
aws-region: ${{ inputs.AWS_REGION }}
152170
role-to-assume: ${{ env.AWS_ROLE }}
153171

154-
- name: Get AWS Information
172+
- name: Set S3 Target URI
155173
# Set the correct S3 URI for the synchronization job
156-
id: aws_info
174+
id: s3_target
157175
env:
158176
AWS_REGION: ${{ inputs.AWS_REGION }}
159177
DOMAIN: ${{ inputs.DOMAIN }}
@@ -182,7 +200,7 @@ jobs:
182200
env:
183201
S3_URI: ${{ env.S3_URI }}
184202
SOURCE_PATH: ${{ env.LEGACY && env.LEGACY_SOURCE_PATH || inputs.SOURCE_PATH }}
185-
SYNC_PARAMS: ${{ inputs.SYNC_PARAMS }}
203+
VALID_SYNC_PARAMS: ${{ env.VALID_SYNC_PARAMS }}
186204
run: |
187205
echo "### Content synchronization to $S3_URI." >> $GITHUB_STEP_SUMMARY
188206
if [[ "$S3_URI" == *"cdn/"* ]]; then
@@ -191,12 +209,9 @@ jobs:
191209
echo "Custom CDN content is synchronizing"
192210
fi
193211
cd "$GITHUB_WORKSPACE"
194-
aws s3 sync "$SOURCE_PATH" "$S3_URI" \
195-
--delete \
196-
--exclude ".github/*" \
197-
--exclude ".git/*" \
198-
--exclude ".gitignore" \
199-
$SYNC_PARAMS
212+
eval "aws s3 sync \"$SOURCE_PATH\" \"$S3_URI\" \
213+
--delete \
214+
$VALID_SYNC_PARAMS"
200215
echo "Content is synchronized to $S3_URI." >> $GITHUB_STEP_SUMMARY
201216
202217
- name: Invalidate cache

0 commit comments

Comments
 (0)