validate the exemption allow list#46
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a CI guardrail to validate the exemptions allowlist (exemptions/allow.json) before attempting to apply exemptions to Cloudsmith.
Changes:
- Introduces a Python validator script for
exemptions/allow.jsonstructure and entry format. - Runs the validator as a dedicated step in the
apply-exemptionsGitHub Actions workflow before uploading the generated policy.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
exemptions/validate_allowlist.py |
New script to validate allow.json is present, valid JSON, non-empty list, and entries match an expected shape. |
.github/workflows/apply-exemptions.yml |
Adds a workflow step to run the validator before exemptions/update_policy.py. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ALLOW_FILE = Path(__file__).parent / "allow.json" | ||
| ENTRY_PATTERN = re.compile(r"^[a-zA-Z0-9_\-]+:[a-zA-Z0-9_\-\.]+:[a-zA-Z0-9_\-\.]+$") | ||
|
|
There was a problem hiding this comment.
This file re-implements allowlist entry validation that already exists in exemptions/update_policy.py (_validate_allowlist_entry). Because the criteria differ (regex here vs just enforcing two ':' separators there), CI can end up rejecting entries that the upload code would accept (or vice versa). Consider sharing one validation function/module or aligning the checks exactly.
No description provided.