Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions .github/workflows/yaml-diff.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ on:
default: "**/*.enc.yaml .github/** .pre-commit-config.yaml"
description: >-
Space-separated glob patterns to exclude. Patterns ending in `/**` match a directory
prefix; patterns without `/` match by basename; otherwise exact path match.
prefix; patterns of the form `**/<glob>` match `<glob>` against the basename at any
depth; patterns without `/` match by basename; otherwise exact path match.
SOPS-encrypted files must remain excluded.

permissions: {}
Expand Down Expand Up @@ -106,18 +107,24 @@ jobs:
read -r -a path_globs <<< "${PATHS}"
read -r -a exclude_globs <<< "${EXCLUDE_PATHS}"

# Exclude matcher. Handles three common pattern shapes:
# Exclude matcher. Handles these pattern shapes:
# foo/** — directory prefix
# **/*.something — basename glob at any depth
# *.something — basename match (no slash in pattern)
# anything else — exact path match
should_exclude() {
local path="$1"
local g prefix
local g prefix base_glob
for g in "${exclude_globs[@]}"; do
if [[ "${g}" == */"**" ]]; then
prefix="${g%/**}"
[[ "${path}" == "${prefix}/"* ]] && return 0
[[ "${path}" == "${prefix}" ]] && return 0
elif [[ "${g}" == "**/"* && "${g#**/}" != *"/"* ]]; then
# `**/<glob>` — match <glob> against the basename at any depth (e.g. `**/*.enc.yaml`)
base_glob="${g#**/}"
# shellcheck disable=SC2053
[[ "$(basename "${path}")" == ${base_glob} ]] && return 0
elif [[ "${g}" != *"/"* ]]; then
# shellcheck disable=SC2053
[[ "$(basename "${path}")" == ${g} ]] && return 0
Expand Down
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
however this project does not use Semantic Versioning and there are no releases.
Instead this file uses a date-based structure.

## 2026-06-30

### Fixed

- `yaml-diff.yaml`'s `should_exclude()` now correctly excludes the default `**/*.enc.yaml` (SOPS) pattern. Patterns containing a `/` but not ending in `/**` fell through to a quoted, non-glob exact-match comparison that never matched, so SOPS-encrypted files were diffed and their contents posted as PR comments — the opposite of the documented default. A new matcher branch handles the `**/<glob>` shape by matching `<glob>` against the basename at any depth. Verified end-to-end against giantswarm/gitops-template#136.

## 2026-06-24

### Security
Expand Down