diff --git a/.github/workflows/yaml-diff.yaml b/.github/workflows/yaml-diff.yaml index 7faed45..6119271 100644 --- a/.github/workflows/yaml-diff.yaml +++ b/.github/workflows/yaml-diff.yaml @@ -24,7 +24,8 @@ on: default: "**/*.enc.yaml .github/** .pre-commit-config.yaml" description: >- Space-separated glob patterns to exclude. Patterns ending in `/**` match a directory - prefix; patterns without `/` match by basename; otherwise exact path match. + prefix; patterns of the form `**/` match `` against the basename at any + depth; patterns without `/` match by basename; otherwise exact path match. SOPS-encrypted files must remain excluded. permissions: {} @@ -106,18 +107,24 @@ jobs: read -r -a path_globs <<< "${PATHS}" read -r -a exclude_globs <<< "${EXCLUDE_PATHS}" - # Exclude matcher. Handles three common pattern shapes: + # Exclude matcher. Handles these pattern shapes: # foo/** — directory prefix + # **/*.something — basename glob at any depth # *.something — basename match (no slash in pattern) # anything else — exact path match should_exclude() { local path="$1" - local g prefix + local g prefix base_glob for g in "${exclude_globs[@]}"; do if [[ "${g}" == */"**" ]]; then prefix="${g%/**}" [[ "${path}" == "${prefix}/"* ]] && return 0 [[ "${path}" == "${prefix}" ]] && return 0 + elif [[ "${g}" == "**/"* && "${g#**/}" != *"/"* ]]; then + # `**/` — match against the basename at any depth (e.g. `**/*.enc.yaml`) + base_glob="${g#**/}" + # shellcheck disable=SC2053 + [[ "$(basename "${path}")" == ${base_glob} ]] && return 0 elif [[ "${g}" != *"/"* ]]; then # shellcheck disable=SC2053 [[ "$(basename "${path}")" == ${g} ]] && return 0 diff --git a/CHANGELOG.md b/CHANGELOG.md index b9773cc..f62d6cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), however this project does not use Semantic Versioning and there are no releases. Instead this file uses a date-based structure. +## 2026-06-30 + +### Fixed + +- `yaml-diff.yaml`'s `should_exclude()` now correctly excludes the default `**/*.enc.yaml` (SOPS) pattern. Patterns containing a `/` but not ending in `/**` fell through to a quoted, non-glob exact-match comparison that never matched, so SOPS-encrypted files were diffed and their contents posted as PR comments — the opposite of the documented default. A new matcher branch handles the `**/` shape by matching `` against the basename at any depth. Verified end-to-end against giantswarm/gitops-template#136. + ## 2026-06-24 ### Security