Skip to content

[TEST] yaml-diff: SOPS *.enc.yaml excluded#136

Closed
weatherhog wants to merge 2 commits into
mainfrom
test/yaml-diff-sops-excluded
Closed

[TEST] yaml-diff: SOPS *.enc.yaml excluded#136
weatherhog wants to merge 2 commits into
mainfrom
test/yaml-diff-sops-excluded

Conversation

@weatherhog

Copy link
Copy Markdown
Contributor

Throwaway test PR for the yaml-diff bot rollout — roadmap#4121. Do not merge; close after verifying.

What this tests

Two files change in one PR:

  1. A real ConfigMap value change (data.values).
  2. A SOPS-encrypted secret.enc.yaml (touched sops.lastmodified).

Expected

  • yaml-diff bot comment shows only the ConfigMap diff.
  • ✅ The *.enc.yaml is not mentioned (matched by the default **/*.enc.yaml exclude). SOPS files must never be diffed.

Changes a real ConfigMap value AND touches a SOPS-encrypted
*.enc.yaml in the same PR. The yaml-diff bot should diff only the
ConfigMap and silently exclude the .enc.yaml. Throwaway test PR for
roadmap#4121.
weatherhog added a commit to giantswarm/github-workflows that referenced this pull request Jun 30, 2026
The default exclude_paths includes `**/*.enc.yaml`, but should_exclude()
had no branch for the `**/<glob>` shape: a pattern containing `/` but not
ending in `/**` fell through to the final `[[ "$path" == "$g" ]]` exact
(quoted, non-glob) comparison, which never matched. As a result SOPS-
encrypted files were NOT excluded and their diffs were posted as PR
comments — the opposite of the documented behaviour.

Add a branch that handles `**/<glob>` by matching <glob> against the
basename at any depth, so `**/*.enc.yaml` matches `.../secret.enc.yaml`.
Verified with a unit test of should_exclude over SOPS / .github / regular
paths, and end-to-end against giantswarm/gitops-template#136.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Temporary: references the github-workflows fix/yaml-diff-enc-exclusion
branch to confirm *.enc.yaml is now excluded. Throwaway test PR.
@github-actions

Copy link
Copy Markdown

Semantic YAML source diff — key reordering without value changes is ignored.

Output

=== management-clusters/MC_NAME/organizations/ORG_NAME/workload-clusters/WC_NAME_OUT_OF_BAND_FLUX_APP/out-of-band/configmaps/configmap.yaml ===

/data/values
  ± value change in multiline text (one insert, one deletion)
    - Encryption is possible here as well, but I am not encrypted atm.
    + Encryption is possible here as well, but I am not encrypted yet.


Suppress with /no_diffs_printing on its own line in the PR body or as a comment.

@github-actions

Copy link
Copy Markdown
Validation output log
yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK

yamllint: OK
kubeconform: OK


@github-actions

Copy link
Copy Markdown
Rendered manifest diff output log

No diff detected

@weatherhog

Copy link
Copy Markdown
Contributor Author

Closing — throwaway Phase-1 verification PR for roadmap#4121. All the work it exercised is merged: the yaml-diff bot, the SOPS-exclusion fix (giantswarm/github-workflows#231), colour output (#232), and the CI extraction (#233 + #139). Key-ordering removal is in #140.

@weatherhog weatherhog closed this Jul 2, 2026
@weatherhog weatherhog deleted the test/yaml-diff-sops-excluded branch July 2, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant