Skip to content

Commit f1c7f43

Browse files
mansajmansaj
authored
Merge pull request #6150 from mozilla/MNTOR-5023
fix: add input validation for production deployment workflow
2 parents 733db23 + 0dcb2ba commit f1c7f43

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

.github/workflows/production_deploy.yml

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ on:
1818
description: 'The original image tag that has been deployed'
1919
required: true
2020
type: string
21+
pattern: '^[a-f0-9]{7,12}$'
2122
jobs:
2223
pull_retag_push:
2324
name: Pull, Retag, and Push Images
@@ -31,6 +32,7 @@ jobs:
3132
GAR_IMAGE_BASE: ${{ vars.GAR_REPO }}/${{ github.event.repository.name }}
3233
GAR_REGISTRY: us-docker.pkg.dev # Define GAR registry hostname
3334
DOCKERHUB_IMAGE: mozilla/blurts-server # Define Docker Hub image name
35+
SAFE_IMAGE_TAG: ${{ inputs.originalImageTag }}
3436
steps:
3537
- name: Checkout Repository
3638
uses: actions/checkout@v5
@@ -60,19 +62,19 @@ jobs:
6062
password: ${{ steps.gcp-auth.outputs.access_token }}
6163

6264
- name: Pull Docker Hub image
63-
run: docker pull ${{ env.DOCKERHUB_IMAGE }}:${{ inputs.originalImageTag }}
65+
run: docker pull "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_IMAGE_TAG }}"
6466

6567
- name: Retag Docker Hub image
66-
run: docker tag ${{ env.DOCKERHUB_IMAGE }}:${{ inputs.originalImageTag }} ${{ env.DOCKERHUB_IMAGE }}:${{ inputs.environment }}-${{ inputs.originalImageTag }}
68+
run: docker tag "${{ env.DOCKERHUB_IMAGE }}:${{ env.SAFE_IMAGE_TAG }}" "${{ env.DOCKERHUB_IMAGE }}:${{ inputs.environment }}-${{ env.SAFE_IMAGE_TAG }}"
6769

6870
- name: Push Docker Hub image
69-
run: docker push ${{ env.DOCKERHUB_IMAGE }}:${{ inputs.environment }}-${{ inputs.originalImageTag }}
71+
run: docker push "${{ env.DOCKERHUB_IMAGE }}:${{ inputs.environment }}-${{ env.SAFE_IMAGE_TAG }}"
7072

7173
- name: Pull GAR image
72-
run: docker pull ${{ env.GAR_IMAGE_BASE }}:${{ inputs.originalImageTag }}
74+
run: docker pull "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_IMAGE_TAG }}"
7375

7476
- name: Retag GAR image
75-
run: docker tag ${{ env.GAR_IMAGE_BASE }}:${{ inputs.originalImageTag }} ${{ env.GAR_IMAGE_BASE }}:${{ inputs.environment }}-${{ inputs.originalImageTag }}
77+
run: docker tag "${{ env.GAR_IMAGE_BASE }}:${{ env.SAFE_IMAGE_TAG }}" "${{ env.GAR_IMAGE_BASE }}:${{ inputs.environment }}-${{ env.SAFE_IMAGE_TAG }}"
7678

7779
- name: Push GAR image
78-
run: docker push ${{ env.GAR_IMAGE_BASE }}:${{ inputs.environment }}-${{ inputs.originalImageTag }}
80+
run: docker push "${{ env.GAR_IMAGE_BASE }}:${{ inputs.environment }}-${{ env.SAFE_IMAGE_TAG }}"

0 commit comments

Comments
 (0)