Skip to content

fix(yaml-diff): exclude **/*.enc.yaml SOPS files#231

Merged
weatherhog merged 2 commits into
mainfrom
fix/yaml-diff-enc-exclusion
Jun 30, 2026
Merged

fix(yaml-diff): exclude **/*.enc.yaml SOPS files#231
weatherhog merged 2 commits into
mainfrom
fix/yaml-diff-enc-exclusion

Conversation

@weatherhog

Copy link
Copy Markdown
Contributor

Problem

yaml-diff.yaml ships with a default exclude_paths of **/*.enc.yaml .github/** .pre-commit-config.yaml, and the design notes state SOPS files are excluded. They aren't.

should_exclude() only handled three pattern shapes:

  • foo/** → directory prefix
  • *.something (no slash) → basename glob
  • anything else → exact, quoted (non-glob) path comparison

**/*.enc.yaml contains a / but doesn't end in /**, so it fell into the last branch: [[ "${path}" == "${g}" ]] with ${g} quoted, i.e. a literal string compare against **/*.enc.yaml. That never matches a real path, so SOPS-encrypted files were diffed and their contents posted as PR comments — the opposite of the intended/documented behaviour.

Confirmed live in giantswarm/gitops-template#136 (a test PR), where the bot posted a diff of secret.enc.yaml. The production caller in gitops-template uses the default exclude_paths, so this affects real PRs.

Fix

Add a matcher branch for the **/<glob> shape that matches <glob> against the basename at any depth, so **/*.enc.yaml matches .../secret.enc.yaml. The three existing shapes are unchanged and still take precedence (.github/** keeps hitting the /** branch).

elif [[ "${g}" == "**/"* && "${g#**/}" != *"/"* ]]; then
  base_glob="${g#**/}"
  # shellcheck disable=SC2053
  [[ "$(basename "${path}")" == ${base_glob} ]] && return 0

Also updates the input description and the inline comment to document the shape.

Verification

Unit-tested should_exclude() over representative paths — all pass:

path result
…/mapi/apps/x/secret.enc.yaml excluded ✅
deep/nested/foo.enc.yaml excluded ✅
top.enc.yaml excluded ✅
.github/workflows/ci.yaml excluded ✅
.pre-commit-config.yaml excluded ✅
…/configmap.yaml kept ✅
secret.enc.yaml.bak kept ✅

Next: re-point gitops-template#136's caller at this branch to confirm end-to-end that secret.enc.yaml is no longer diffed.

Relates to giantswarm/roadmap#4121.

🤖 Generated with Claude Code

weatherhog and others added 2 commits June 30, 2026 16:51
The default exclude_paths includes `**/*.enc.yaml`, but should_exclude()
had no branch for the `**/<glob>` shape: a pattern containing `/` but not
ending in `/**` fell through to the final `[[ "$path" == "$g" ]]` exact
(quoted, non-glob) comparison, which never matched. As a result SOPS-
encrypted files were NOT excluded and their diffs were posted as PR
comments — the opposite of the documented behaviour.

Add a branch that handles `**/<glob>` by matching <glob> against the
basename at any depth, so `**/*.enc.yaml` matches `.../secret.enc.yaml`.
Verified with a unit test of should_exclude over SOPS / .github / regular
paths, and end-to-end against giantswarm/gitops-template#136.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@weatherhog weatherhog requested a review from a team as a code owner June 30, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants