Skip to content

deploy-artifact: unanchored 'kind: Secret' grep over-matches SecretStore kinds (E_FORBIDDEN_KIND) #66

Description

@jorisjonkers-dev-agents

Problem

actions/deploy-artifact/run.sh uses an unanchored grep for kind: Secret in its forbidden-kind guard (E_FORBIDDEN_KIND). This over-matches legitimate kinds such as SecretStore and ClusterSecretStore (External Secrets / VSO patterns), producing false-positive rejections.

The identical bug existed in actions/deploy-preview/run.sh and was fixed in #62 by anchoring the pattern to ^kind:[[:space:]]*Secret[[:space:]]*$. The deploy-artifact copy was out of scope there and remains unfixed.

Fix

Apply the same anchored regex in actions/deploy-artifact/run.sh, and add a test mirroring the deploy-preview coverage in tests/test_scorecard.py (a manifest with kind: SecretStore must pass; kind: Secret must fail).

Acceptance

A service rendering a SecretStore/ClusterSecretStore object publishes its deploy artifact without E_FORBIDDEN_KIND; a raw Secret still fails with the file named.

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugSomething is broken or behaving incorrectly.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions