feat(pipelines): require shellIdentity on Shell steps in the schema (AROSLSRE-1380)#262
Merged
janboll merged 1 commit intoJul 3, 2026
Conversation
A Shell step's shellIdentity is effectively mandatory: EV2RA manifest generation validates it unconditionally and aborts if it is unset. But shellStepBase only marked 'command' as required, so consumers that validate against the schema (e.g. ARO-HCP 'make validate-config-pipelines') without running EV2RA generation accepted Shell steps missing an identity. Those only failed later, at bump time. Add shellIdentity to shellStepBase.required so schema validation rejects such steps at authoring/PR time. This also covers shellValidationStep, which embeds the same base. The Go type already documented the field as required. Existing valid-shell test fixtures are updated to declare shellIdentity. NOTE: breaking schema tightening. Must not merge until all consumers declare shellIdentity on every Shell step (ARO-HCP tracked by AROSLSRE-1380). AROSLSRE-1380
geoberle
approved these changes
Jul 2, 2026
8 tasks
Merged
8 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aligns the pipeline.schema.v1 JSON schema with existing runtime expectations by making shellIdentity required for all Shell steps, preventing configs from passing schema validation and only failing later during EV2RA manifest generation.
Changes:
- Updated
shellStepBase.requiredinpipeline.schema.v1.jsonto includeshellIdentityalongsidecommand. - Updated schema-validation unit tests to include
shellIdentityin validShellstep examples. - Updated subscription provisioning schema validation tests to include
shellIdentityin embeddedShellsteps.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pipelines/types/validation_test.go | Updates “valid shell” schema-validation test cases to include shellIdentity. |
| pipelines/types/pipeline.schema.v1.json | Makes shellIdentity a required property for Shell steps via shellStepBase.required. |
| pipelines/types/pipeline_test.go | Updates YAML test cases to include shellIdentity in Shell steps so they remain schema-compliant. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
janboll
approved these changes
Jul 3, 2026
raelga
added a commit
to raelga/ARO-HCP
that referenced
this pull request
Jul 3, 2026
…SLSRE-1380) Bumps the github.com/Azure/ARO-Tools modules from 2277df76598b (2026-06-17) to 4612291d5420 (2026-07-03), which makes shellIdentity a required field on shellStepBase in the pipeline schema (Azure/ARO-Tools#262). This lands the enforcement so that a Shell step missing shellIdentity now fails ARO-HCP 'make validate-config-pipelines' at PR time, instead of only breaking the sdp-pipelines EV2 bump after merge (the regression that hit ARO-28045 / Azure#5834). All in-repo pipelines validate cleanly against the stricter schema; the known offenders were already fixed in Azure#5889 and Azure#5890.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A
Shellstep'sshellIdentityis effectively mandatory — sdp-pipelines EV2RA manifest generation validates it unconditionally and aborts if unset:But
shellStepBaseinpipeline.schema.v1.jsononly markscommandasrequired, so consumers that validate against the schema (e.g. ARO-HCPmake validate-config-pipelines) without running EV2RA generation accept Shell steps that omit an identity. They only fail later, at bump time — which just caused an ARO-HCP revert/reland (Azure/ARO-HCP#5834 → #5888 / #5889).What changes
Add
shellIdentitytoshellStepBase.required:This also covers
shellValidationStep, which embeds the same base. The Go type (shell.go) already documented the field as required. Existing valid-shell test fixtures are updated to declareshellIdentity.Validation
go test ./pipelines/types/...passes (schema + fixtures). Thepipelines/graphfailures in this environment are only missinggraphviz/dot, unrelated to this change.Follow-ups
shellIdentity is required.