@@ -127,15 +127,28 @@ jobs:
127127 env :
128128 service : ${{ inputs.service }}
129129 run : |
130+ # Validate and sanitize the service input
131+ if [[ ! "$service" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then
132+ echo "ERROR: Invalid service name format: $service"
133+ exit 1
134+ fi
135+
130136 service_name="${service,,}" # third_parties/bridgetower
131137 if [[ "${service,,}" == *"third_parties"* ]]; then
132- CHART_NAME="$(echo "${service,,}"| cut -d'/' -f2)" # bridgetower
138+ CHART_NAME="$(echo "${service,,}" | cut -d'/' -f2)" # bridgetower
133139 else
134140 CHART_NAME="${service_name}" # web_retrievers
135141 fi
136142 CHART_NAME=$(echo "$CHART_NAME" | tr -cd 'a-z0-9')
137- echo "service_name=$service_name" >> $GITHUB_ENV
138- echo "CHART_NAME=$CHART_NAME" >> $GITHUB_ENV
143+
144+ # Validate CHART_NAME is not empty after sanitization
145+ if [[ -z "$CHART_NAME" ]]; then
146+ echo "ERROR: Chart name is empty after sanitization"
147+ exit 1
148+ fi
149+
150+ echo "service_name=${service_name}" >> $GITHUB_ENV
151+ echo "CHART_NAME=${CHART_NAME}" >> $GITHUB_ENV
139152 echo "RELEASE_NAME=${CHART_NAME}$(date +%d%H%M%S)" >> $GITHUB_ENV
140153 echo "NAMESPACE=comp-${CHART_NAME}-$(head -c 4 /dev/urandom | xxd -p)" >> $GITHUB_ENV
141154 echo "ROLLOUT_TIMEOUT_SECONDS=600s" >> $GITHUB_ENV
@@ -147,8 +160,21 @@ jobs:
147160
148161name : get template name
149162 run : |
150- echo "template_link=$(grep 'helm install' comps/${service_name}/deployment/kubernetes/README.md | awk -F' ' '{print $4}' | head -n 1)"
151- echo "template_link=$(grep 'helm install' comps/${service_name}/deployment/kubernetes/README.md | awk -F' ' '{print $4}' | head -n 1)" >> $GITHUB_ENV
163+ # Validate service_name is safe for path construction
164+ if [[ ! "$service_name" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then
165+ echo "ERROR: Invalid service_name format for path construction"
166+ exit 1
167+ fi
168+
169+ readme_path="comps/${service_name}/deployment/kubernetes/README.md"
170+ if [[ -f "$readme_path" ]]; then
171+ template_link=$(grep 'helm install' "$readme_path" | awk -F' ' '{print $4}' | head -n 1)
172+ echo "template_link=${template_link}"
173+ echo "template_link=${template_link}" >> $GITHUB_ENV
174+ else
175+ echo "ERROR: README.md not found at $readme_path"
176+ exit 1
177+ fi
152178
153179name : Helm install
154180 id : install
@@ -160,38 +186,59 @@ jobs:
160186 value_file : ${{ matrix.value_file }}
161187 run : |
162188 set -xe
189+
190+ # Validate value_file input
191+ if [[ ! "$value_file" =~ ^[a-zA-Z0-9_.-]+\.yaml$ ]]; then
192+ echo "ERROR: Invalid value file format: $value_file"
193+ exit 1
194+ fi
195+
163196 echo "should_cleanup=true" >> $GITHUB_ENV
164- if [[ ! -f ${{ github.workspace }}/${{ env.CHART_FOLDER }}/${value_file} ]]; then
165- echo "No value file found, exiting test!"
197+ value_file_path="${{ github.workspace }}/${{ env.CHART_FOLDER }}/${value_file}"
198+ if [[ ! -f "$value_file_path" ]]; then
199+ echo "No value file found at: $value_file_path"
166200 echo "skip_validate=true" >> $GITHUB_ENV
167201 echo "should_cleanup=false" >> $GITHUB_ENV
168202 exit 0
169203 fi
170204
171- for img in `helm template -n $NAMESPACE $RELEASE_NAME ${template_link} -f comps/${{ inputs.service }}/deployment/kubernetes/${value_file} --version ${{ inputs.version }} | grep 'image:' | grep 'opea/' | awk '{print $2}' | xargs`;
172- do
205+ # Validate inputs.service for path construction
206+ service_input="${{ inputs.service }}"
207+ if [[ ! "$service_input" =~ ^[a-zA-Z0-9_/.-]+$ ]]; then
208+ echo "ERROR: Invalid service input format"
209+ exit 1
210+ fi
211+
212+ helm_values_path="comps/${service_input}/deployment/kubernetes/${value_file}"
213+ if [[ ! -f "$helm_values_path" ]]; then
214+ echo "ERROR: Helm values file not found at: $helm_values_path"
215+ exit 1
216+ fi
217+
218+ for img in $(helm template -n "$NAMESPACE" "$RELEASE_NAME" "${template_link}" -f "$helm_values_path" --version "${{ inputs.version }}" | grep 'image:' | grep 'opea/' | awk '{print $2}'); do
173219 # increase helm install wait for for vllm-gaudi case
174- if [[ $img == *"vllm-gaudi"* ]]; then
220+ if [[ " $img" == *"vllm-gaudi"* ]]; then
175221 ROLLOUT_TIMEOUT_SECONDS=900s
176222 fi
177223 done
224+
178225 # oci://ghcr.io/opea-project/charts/${CHART_NAME} \
179- if ! helm install --create-namespace --namespace $NAMESPACE $RELEASE_NAME \
180- ${template_link} \
181- --set global.HUGGINGFACEHUB_API_TOKEN=${HFTOKEN} \
182- --set global.modelUseHostPath=/data2/hf_model \
183- --set GOOGLE_API_KEY=${{ env.GOOGLE_API_KEY}} \
184- --set GOOGLE_CSE_ID=${{ env.GOOGLE_CSE_ID}} \
185- -f comps/${{ inputs.service }}/deployment/kubernetes/${value_file} \
186- --version ${{ inputs.version }} \
226+ if ! helm install --create-namespace --namespace " $NAMESPACE" " $RELEASE_NAME" \
227+ " ${template_link}" \
228+ --set " global.HUGGINGFACEHUB_API_TOKEN=${HFTOKEN}" \
229+ --set " global.modelUseHostPath=/data2/hf_model" \
230+ --set " GOOGLE_API_KEY=${{ env.GOOGLE_API_KEY}}" \
231+ --set " GOOGLE_CSE_ID=${{ env.GOOGLE_CSE_ID}}" \
232+ -f "$helm_values_path" \
233+ --version " ${{ inputs.version }}" \
187234 --wait --timeout "$ROLLOUT_TIMEOUT_SECONDS"; then
188235 echo "Failed to install chart ${{ inputs.service }}"
189236 echo "skip_validate=true" >> $GITHUB_ENV
190- .github/workflows/scripts/k8s-utils.sh dump_pods_status $NAMESPACE
237+ .github/workflows/scripts/k8s-utils.sh dump_pods_status " $NAMESPACE"
191238 exit 1
192239 fi
193240 helm list -A
194- kubectl get pods -n $NAMESPACE
241+ kubectl get pods -n " $NAMESPACE"
195242
196243name : Validate e2e test
197244 if : always()
0 commit comments