Skip to content

ci: pin-gate fail closed on git-diff error#320

Merged
devkoriel merged 1 commit into
mainfrom
ci/pin-gate-fail-closed
Jun 30, 2026
Merged

ci: pin-gate fail closed on git-diff error#320
devkoriel merged 1 commit into
mainfrom
ci/pin-gate-fail-closed

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Mirror the app-of-apps #1624 fail-OPEN fix in the chart-repo pin gate.

Why

changed=$(git diff --name-only "${BASE_SHA}...HEAD" ...) returned empty on a git error (the run block sets pipefail but not errexit), so a broken / unreachable-base diff yielded "No chart changes." -> exit 0 -> the required gate PASSED. Same class as the app-of-apps fail-open that #1622 exposed.

How

Wrap the diff in if ! changed=$(...); then echo ::error::...; exit 1; fi. With pipefail, a git-diff error now fails the check (fail-closed) instead of silently passing. bash -n clean; no other change. (The gate already uses the immutable BASE_SHA, so it was less fragile than app-of-apps, but the empty-diff pass was still reachable.)

@devkoriel devkoriel self-assigned this Jun 30, 2026
@devkoriel devkoriel merged commit f6aebee into main Jun 30, 2026
2 checks passed
@devkoriel devkoriel deleted the ci/pin-gate-fail-closed branch June 30, 2026 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant