Skip to content

fix: resolve subshell issue in image validation loop #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dcolina merged 1 commit into from
Dec 12, 2025
Merged

fix: resolve subshell issue in image validation loop #15

dcolina merged 1 commit into from
Dec 12, 2025

Conversation

@dcolina
Copy link
Member

@dcolina dcolina commented Dec 12, 2025

Problem

The image validation was failing with exit code 1 even when all validation checks passed successfully. This was caused by a bash subshell issue.

Root Cause

The validation loop used a pipe pattern:

echo "$NEW_IMAGES" | jq -r '.[]' | while IFS= read -r image; do
  # validation code that writes to /tmp/validation_failed.txt
done

This pattern creates a subshell, and files written inside the subshell (/tmp/validation_failed.txt) are not visible to the parent shell after the loop completes.

Solution

Changed to process substitution pattern:

while IFS= read -r image; do
  # validation code that writes to /tmp/validation_failed.txt
done < <(echo "$NEW_IMAGES" | jq -r '.[]')

This runs the loop in the current shell context, allowing file writes to persist correctly.

Testing

This fix will be validated with test PR #360 in deutschebank-infrastructure repository, which previously showed all checks passing but failed with exit code 1.

Related

  • Fixes validation failure in dotCMS/deutschebank-infrastructure#360

@dcolina
fix: resolve subshell issue in image validation loop
06651fe 
The while loop was using a pipe which creates a subshell, causing
/tmp/validation_failed.txt writes to not persist after the loop.
Changed to process substitution pattern to fix this issue.

This fixes validation failures where all checks pass but the job
still exits with error code 1.
@dcolina dcolina marked this pull request as ready for review December 12, 2025 16:30
@dcolina dcolina requested review from a team as code owners December 12, 2025 16:30
@dcolina dcolina merged commit a7bf57e into main Dec 12, 2025
3 checks passed
@dcolina dcolina deleted the fix/subshell-validation-bug branch December 12, 2025 16:38
@dcolina dcolina mentioned this pull request Dec 12, 2025
Merged
dcolina added a commit that referenced this pull request Dec 12, 2025
@dcolina
fix: resolve second subshell issue in image-only validation (#16)
2338b52 
## Problem

Found a second subshell issue in the `validate-image-only-changed` step
that was causing the same false failure problem.

## Root Cause

The loop checking if only image field changed also used a pipe pattern:
```bash
echo "$CHANGED_FILES" | jq -r '.[]' | while IFS= read -r file; do
  # validation code that writes to /tmp files
done
```

This creates a subshell where file writes don't persist after the loop.

## Solution

Applied the same process substitution fix:
```bash
while IFS= read -r file; do
  # validation code
done < <(echo "$CHANGED_FILES" | jq -r '.[]')
```

## Testing

This will be validated with PR #362 in deutschebank-infrastructure
repository.

## Related

- Fixes same issue as #15
- Required for dotCMS/deutschebank-infrastructure#362
@dcolina dcolina mentioned this pull request Dec 15, 2025
Merged
dcolina added a commit that referenced this pull request Dec 15, 2025
@dcolina
fix: resolve BASE_REPO variable scope issue (#17)
1c277e3 
## Problem

The `BASE_REPO` variable was only defined inside the repository
allowlist validation block (step 3), but it was being used later in the
image existence check (step 5). This caused the variable to be empty
when `verify_image_existence` was enabled, leading to validation
failures.

## Root Cause

In the image validation loop:
- `BASE_REPO` extraction logic was inside the `if [ -n "$ALLOWED_REPOS"
]` block (lines 433-440)
- The image existence check at line 524 used
`CANONICAL_IMAGE="${BASE_REPO}:${TAG}"`
- When `ALLOWED_REPOS` was set, `BASE_REPO` was defined and everything
worked
- However, the variable was being used outside its scope, which is a
logic error

## Solution

- **Move BASE_REPO extraction logic** outside the conditional block
(before step 4)
- Now `BASE_REPO` is always available for both repository validation and
image existence check
- Update step numbering in comments: steps 4-7 instead of 3-5
- Add explicit logging of `BASE_REPO` value for debugging

## Changes

```diff
# 2. Extract repository and tag
REPO="${image%:*}"
TAG="${image##*:}"

+# 3. Extract base repository name (always, needed for multiple validations)
+BASE_REPO="$REPO"
+if [[ "$REPO" =~ / ]]; then
+  if [[ "$REPO" =~ ^[a-z0-9.-]+\.[a-z]{2,}/ ]] || [[ "$REPO" =~ ^gcr\.io/ ]] || [[ "$REPO" =~ ^.*\.gcr\.io/ ]]; then
+    BASE_REPO="${REPO#*/}"
+  fi
+fi
+echo "   Base repository: $BASE_REPO"
+
-# 3. Check repository is in allowlist (if configured)
+# 4. Check repository is in allowlist (if configured)
if [ -n "$ALLOWED_REPOS" ]; then
-  BASE_REPO="$REPO"  # ← Was only defined here
-  if [[ "$REPO" =~ / ]]; then
-    ...
-  fi
  ...
fi
```

## Testing

This fixes the validation failure in [PR
#362](dotCMS/deutschebank-infrastructure#362)
where the image existence check was failing due to empty `BASE_REPO`
variable.

After this fix is merged and v1.1.1 tag is recreated, PR #362 should
pass all validations.

## Related

- Fixes issue discovered in deutschebank-infrastructure PR #362
- Related to #15 (subshell fixes)
- Related to #16 (second subshell fix)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dcolina