feat(ci): validate embedded JSON blobs in ConfigMaps#2502
Conversation
Registered ConfigMap data keys (exceptionPolicies, *.json) are now json-parsed by scripts/validate-embedded-json.py as the first step of the validate job, so a JSON syntax error fails the PR instead of shipping as an opaque string that only breaks at consumption time. Fixes #2480 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis PR adds Sequence Diagram(s)Included above within the hidden review stack artifact. Related issues: Suggested labels: ci, documentation, scripts Suggested reviewers: devantler Poem: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
|
🎉 This PR is included in version 1.105.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
ConfigMaps that embed whole JSON documents (the Headlamp Kubescape exceptions policy, velero's node-agent config) are opaque strings to schema validation — a stray comma ships silently and only breaks where the JSON is consumed, where an empty exceptions view reads identical to a clean posture. Flagged by CodeRabbit on #2446.
What
Adds a fast stdlib-Python CI gate that json-parses every registered embedded-JSON ConfigMap key (
exceptionPoliciesplus any*.jsonkey) as the first step of the validate job, failing the PR on a syntax error. Verified against a deliberately corrupted blob in both covered ConfigMaps.Fixes #2480