From d2e0d5226d26d98d85c5194328563e5932932d68 Mon Sep 17 00:00:00 2001 From: Lucas Weatherhog <31103312+weatherhog@users.noreply.github.com> Date: Tue, 30 Jun 2026 16:51:24 +0200 Subject: [PATCH 1/2] fix(yaml-diff): exclude **/*.enc.yaml SOPS files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default exclude_paths includes `**/*.enc.yaml`, but should_exclude() had no branch for the `**/` shape: a pattern containing `/` but not ending in `/**` fell through to the final `[[ "$path" == "$g" ]]` exact (quoted, non-glob) comparison, which never matched. As a result SOPS- encrypted files were NOT excluded and their diffs were posted as PR comments — the opposite of the documented behaviour. Add a branch that handles `**/` by matching against the basename at any depth, so `**/*.enc.yaml` matches `.../secret.enc.yaml`. Verified with a unit test of should_exclude over SOPS / .github / regular paths, and end-to-end against giantswarm/gitops-template#136. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/yaml-diff.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/yaml-diff.yaml b/.github/workflows/yaml-diff.yaml index 7faed45..6119271 100644 --- a/.github/workflows/yaml-diff.yaml +++ b/.github/workflows/yaml-diff.yaml @@ -24,7 +24,8 @@ on: default: "**/*.enc.yaml .github/** .pre-commit-config.yaml" description: >- Space-separated glob patterns to exclude. Patterns ending in `/**` match a directory - prefix; patterns without `/` match by basename; otherwise exact path match. + prefix; patterns of the form `**/` match `` against the basename at any + depth; patterns without `/` match by basename; otherwise exact path match. SOPS-encrypted files must remain excluded. permissions: {} @@ -106,18 +107,24 @@ jobs: read -r -a path_globs <<< "${PATHS}" read -r -a exclude_globs <<< "${EXCLUDE_PATHS}" - # Exclude matcher. Handles three common pattern shapes: + # Exclude matcher. Handles these pattern shapes: # foo/** — directory prefix + # **/*.something — basename glob at any depth # *.something — basename match (no slash in pattern) # anything else — exact path match should_exclude() { local path="$1" - local g prefix + local g prefix base_glob for g in "${exclude_globs[@]}"; do if [[ "${g}" == */"**" ]]; then prefix="${g%/**}" [[ "${path}" == "${prefix}/"* ]] && return 0 [[ "${path}" == "${prefix}" ]] && return 0 + elif [[ "${g}" == "**/"* && "${g#**/}" != *"/"* ]]; then + # `**/` — match against the basename at any depth (e.g. `**/*.enc.yaml`) + base_glob="${g#**/}" + # shellcheck disable=SC2053 + [[ "$(basename "${path}")" == ${base_glob} ]] && return 0 elif [[ "${g}" != *"/"* ]]; then # shellcheck disable=SC2053 [[ "$(basename "${path}")" == ${g} ]] && return 0 From 033a4e1530e3c2b6f1418f6fbe96d17a1f9e1f1a Mon Sep 17 00:00:00 2001 From: Lucas Weatherhog <31103312+weatherhog@users.noreply.github.com> Date: Tue, 30 Jun 2026 16:51:56 +0200 Subject: [PATCH 2/2] docs(changelog): note the yaml-diff SOPS exclusion fix Co-Authored-By: Claude Opus 4.8 (1M context) --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9773cc..f62d6cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), however this project does not use Semantic Versioning and there are no releases. Instead this file uses a date-based structure. +## 2026-06-30 + +### Fixed + +- `yaml-diff.yaml`'s `should_exclude()` now correctly excludes the default `**/*.enc.yaml` (SOPS) pattern. Patterns containing a `/` but not ending in `/**` fell through to a quoted, non-glob exact-match comparison that never matched, so SOPS-encrypted files were diffed and their contents posted as PR comments — the opposite of the documented default. A new matcher branch handles the `**/` shape by matching `` against the basename at any depth. Verified end-to-end against giantswarm/gitops-template#136. + ## 2026-06-24 ### Security