From c65a7314037eef7e4e174cf96b52e9a119b43097 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sun, 12 Apr 2026 15:09:42 +0800
Subject: [PATCH] Tighten deploy image artifact validation

---
 .github/workflows/pipeline.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index a9cf1bb..1115e40 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -161,17 +161,19 @@ jobs:
 
           image_ref="${{ needs.build.outputs.service_image_ref }}"
           image_no_digest="${image_ref%@*}"
-          image_repo="${image_no_digest%:*}"
           image_tag="${image_no_digest##*:}"
 
-          if [[ -z "${image_ref}" || -z "${image_repo}" || -z "${image_tag}" || "${image_repo}" == "${image_tag}" ]]; then
+          if [[ -z "${image_ref}" || -z "${image_tag}" ]]; then
             echo "invalid deploy image artifact: ${image_ref}" >&2
             exit 1
           fi
 
+          if [[ ! "${image_tag}" =~ ^sha-([0-9a-f]{40})$ && ! "${image_tag}" =~ ^[0-9a-f]{40}$ ]]; then
+            echo "deploy image artifact must be a full-SHA tag: ${image_ref}" >&2
+            exit 1
+          fi
+
           echo "image_ref=${image_ref}" >> "$GITHUB_OUTPUT"
-          echo "image_repo=${image_repo}" >> "$GITHUB_OUTPUT"
-          echo "image_tag=${image_tag}" >> "$GITHUB_OUTPUT"
 
       - name: Check Out Playbooks Repository
         # Pull latest playbooks HEAD from the default branch.