Commit 266a504
fix(ci): add input validation and allowlist enforcement for compute types
Addresses 5 security findings:
1. CRITICAL: deploy.yml wildcard case now validates intent against
ALLOWED_COMPUTE_TYPES before passing to matrix. Invalid values
cause the workflow to fail with an error annotation.
2. MEDIUM: PR label deploy:<type> values are filtered through
validate_compute_type(). Invalid labels emit a warning and are
ignored rather than passed to the deploy matrix.
3. MEDIUM: sanitize() now lowercases input and prefixes "s-" if the
result starts with a digit (CloudFormation requires letter start).
4. LOW: deploy-intent.json is now written with jq (safe JSON encoding)
instead of shell string interpolation.
5. LOW: PR_NUMBER is validated as numeric before use in stack names.
The ALLOWED_COMPUTE_TYPES allowlist is defined as an env var in each
step that performs validation. When new compute types are added to the
matrix, this allowlist must be updated in both build.yml and deploy.yml.
Part of #73 Phase 3.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 382c551 commit 266a504
2 files changed
Lines changed: 66 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
| 35 | + | |
35 | 36 | | |
36 | 37 | | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
37 | 61 | | |
38 | 62 | | |
39 | 63 | | |
| |||
43 | 67 | | |
44 | 68 | | |
45 | 69 | | |
46 | | - | |
47 | 70 | | |
48 | 71 | | |
49 | 72 | | |
| |||
56 | 79 | | |
57 | 80 | | |
58 | 81 | | |
59 | | - | |
60 | | - | |
61 | | - | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
62 | 93 | | |
63 | 94 | | |
64 | 95 | | |
| |||
68 | 99 | | |
69 | 100 | | |
70 | 101 | | |
71 | | - | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
72 | 107 | | |
73 | 108 | | |
74 | 109 | | |
| |||
0 commit comments