From c4295bcbee782925d24505c227335b3a99567a4e Mon Sep 17 00:00:00 2001 From: adela Date: Tue, 21 Apr 2026 23:33:23 +0200 Subject: [PATCH] fix: resolve workspace name before PATCH masking_rule The policy API uses the resource string as an exact-match filter, so "workspaces/-" does not resolve to the current workspace for policy endpoints (only GetWorkspace has dash-expansion). Without this, the PATCH silently creates an orphan policy with resource="workspaces/-" instead of updating the real workspace policy. Fetch the real workspace name via GET /workspaces/- first, then use it in the PATCH URL. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../workflows/1-bb-masking-semantic-type-global.yml | 13 ++++++++++--- .github/workflows/3-bb-masking-classification.yml | 13 ++++++++++--- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/1-bb-masking-semantic-type-global.yml b/.github/workflows/1-bb-masking-semantic-type-global.yml index 6cd7464..38e6765 100644 --- a/.github/workflows/1-bb-masking-semantic-type-global.yml +++ b/.github/workflows/1-bb-masking-semantic-type-global.yml @@ -106,10 +106,17 @@ jobs: id: apply-global-masking-rule if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule.json') }} run: | - CHANGED_FILE="masking/global-masking-rule.json" + CHANGED_FILE="masking/global-masking-rule.json" echo "Processing: $CHANGED_FILE" - - response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/workspaces/-/policies/masking_rule?allowMissing=true&updateMask=payload" \ + + # Resolve the current workspace resource name. Policy URLs need the + # real workspace ID — "workspaces/-" only works for GetWorkspace. + WORKSPACE_NAME=$(curl -s \ + --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ + "${{ steps.bytebase-login.outputs.api_url }}/workspaces/-" | jq -r '.name') + echo "Workspace: $WORKSPACE_NAME" + + response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/${WORKSPACE_NAME}/policies/masking_rule?allowMissing=true&updateMask=payload" \ --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ --header "Content-Type: application/json" \ --data @"$CHANGED_FILE") diff --git a/.github/workflows/3-bb-masking-classification.yml b/.github/workflows/3-bb-masking-classification.yml index 16b1eab..9c6cb1e 100644 --- a/.github/workflows/3-bb-masking-classification.yml +++ b/.github/workflows/3-bb-masking-classification.yml @@ -88,10 +88,17 @@ jobs: id: apply-global-masking-rule if: ${{ steps.changed-files.outputs.any_changed == 'true' && contains(steps.changed-files.outputs.all_changed_files, 'global-masking-rule-classification.json') }} run: | - CHANGED_FILE="masking/global-masking-rule-classification.json" + CHANGED_FILE="masking/global-masking-rule-classification.json" echo "Processing: $CHANGED_FILE" - - response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/workspaces/-/policies/masking_rule?allowMissing=true&updateMask=payload" \ + + # Resolve the current workspace resource name. Policy URLs need the + # real workspace ID — "workspaces/-" only works for GetWorkspace. + WORKSPACE_NAME=$(curl -s \ + --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ + "${{ steps.bytebase-login.outputs.api_url }}/workspaces/-" | jq -r '.name') + echo "Workspace: $WORKSPACE_NAME" + + response=$(curl -s -w "\n%{http_code}" --request PATCH "${{ steps.bytebase-login.outputs.api_url }}/${WORKSPACE_NAME}/policies/masking_rule?allowMissing=true&updateMask=payload" \ --header "Authorization: Bearer ${{ steps.bytebase-login.outputs.token }}" \ --header "Content-Type: application/json" \ --data @"$CHANGED_FILE")