@@ -69,19 +69,36 @@ jobs:
6969 TAGS_RAW="${IMAGE_TAGS}"
7070 TAGS_CLEAN="${TAGS_RAW// /}"
7171 IFS=',' read -r -a TAG_ARRAY <<< "${TAGS_CLEAN}"
72- if [ "${#TAG_ARRAY[@]}" -eq 0 ] || [ -z "${TAG_ARRAY[0]}" ]; then
73- echo "No valid tags provided in IMAGE_TAGS='${IMAGE_TAGS}'" >&2
72+ # Validate provided tags: 1-128 chars, start alphanumeric, allow [A-Za-z0-9_.-]
73+ # This prevents accidental pastes (e.g., base64/HTML) which would break docker/buildx.
74+ if [ "${#TAG_ARRAY[@]}" -eq 0 ]; then
75+ echo "No tags provided in IMAGE_TAGS='${IMAGE_TAGS}'" >&2
7476 exit 1
7577 fi
7678 FULL_TAGS=""
79+ VALID_COUNT=0
7780 for TAG in "${TAG_ARRAY[@]}"; do
81+ # Skip blanks from accidental extra commas
82+ if [ -z "${TAG}" ]; then
83+ continue
84+ fi
85+ if ! [[ "${TAG}" =~ ^[A-Za-z0-9][A-Za-z0-9_.-]{0,127}$ ]]; then
86+ echo "Invalid Docker tag '${TAG}'. Allowed: letters, digits, '_', '-', '.'; 1-128 chars, start with alphanumeric." >&2
87+ echo "Input IMAGE_TAGS='${IMAGE_TAGS}'" >&2
88+ exit 1
89+ fi
90+ VALID_COUNT=$((VALID_COUNT+1))
7891 echo "Will publish: ${DOCKERHUB_IMAGE}:${TAG}"
7992 if [ -z "${FULL_TAGS}" ]; then
8093 FULL_TAGS="${DOCKERHUB_IMAGE}:${TAG}"
8194 else
8295 FULL_TAGS="${FULL_TAGS}"$'\n'"${DOCKERHUB_IMAGE}:${TAG}"
8396 fi
8497 done
98+ if [ "${VALID_COUNT}" -eq 0 ]; then
99+ echo "No valid tags found after parsing IMAGE_TAGS='${IMAGE_TAGS}'" >&2
100+ exit 1
101+ fi
85102 echo "tags<<EOF" >> "$GITHUB_OUTPUT"
86103 echo "${FULL_TAGS}" >> "$GITHUB_OUTPUT"
87104 echo "EOF" >> "$GITHUB_OUTPUT"
0 commit comments