Skip to content

Commit 30ca621

Browse files
authored
Sanitize build refs for docker build names (#1355)
1 parent b058ece commit 30ca621

1 file changed

Lines changed: 34 additions & 0 deletions

File tree

.github/workflows/reusable-docker-build.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,10 +79,44 @@ jobs:
7979
8080
TAGS="${{ inputs.tags }}"
8181
TAG_ARGS=""
82+
83+
sanitize_image_ref() {
84+
local ref="$1"
85+
local after_slash="${ref##*/}"
86+
87+
# Only sanitize the *tag* portion (after the last ':', and only if
88+
# that ':' occurs after the last '/'). This avoids breaking
89+
# registries with ports like "registry:5000/repo:tag".
90+
if [[ "$after_slash" == *:* ]]; then
91+
local name="${ref%:*}"
92+
local tag="${ref##*:}"
93+
94+
# Docker tags must match [A-Za-z0-9_][A-Za-z0-9_.-]{0,127}
95+
# Replace common offenders (like '/' from refs/heads/...) with '-'.
96+
local safe_tag="${tag//\//-}"
97+
safe_tag="${safe_tag// /-}"
98+
safe_tag="${safe_tag//:/-}"
99+
safe_tag="${safe_tag//[^A-Za-z0-9_.-]/-}"
100+
safe_tag="${safe_tag#[-.]}" # strip leading '-' or '.'
101+
safe_tag="${safe_tag:0:128}"
102+
103+
if [[ -z "$safe_tag" ]]; then
104+
safe_tag="sha-${GITHUB_SHA}"
105+
safe_tag="${safe_tag:0:128}"
106+
fi
107+
108+
printf '%s:%s' "$name" "$safe_tag"
109+
return 0
110+
fi
111+
112+
printf '%s' "$ref"
113+
}
114+
82115
IFS=',' read -ra TAG_ARR <<< "$TAGS"
83116
for t in "${TAG_ARR[@]}"; do
84117
t="$(echo "$t" | xargs)"
85118
if [ -n "$t" ]; then
119+
t="$(sanitize_image_ref "$t")"
86120
TAG_ARGS="$TAG_ARGS -t $t"
87121
fi
88122
done

0 commit comments

Comments
 (0)