Debug beforeSteps accepts nonexistent step names without warning

[waveywaves]

Expected Behavior

When a user specifies step names in debug.breakpoints.beforeSteps, those names should be validated against the actual step names in the Task spec. If a step name doesn't exist, the user should receive a validation error.

Actual Behavior

In pkg/apis/pipeline/v1/taskrun_validation.go (lines 284-290), the validation checks for duplicate beforeSteps entries but never validates that the step names actually exist in the Task spec.

A user can write:

spec:
  debug:
    breakpoints:
      onFailure: enabled
      beforeSteps:
        - nonexistent-step

This passes validation silently. At runtime, NeedsDebugBeforeStep checks against container names and no container matches, so the breakpoint never fires. The user gets zero feedback about the misconfiguration.

Proposed Fix

Validate beforeSteps entries against the resolved Task spec's step names during TaskRun validation (similar to how param names are validated against Task param declarations).

Note: This validation may need to happen at reconcile time rather than webhook time, since the Task spec may not be available during admission (e.g., when using remote resolution).

Related

• TEP-0097: Breakpoints for TaskRuns and PipelineRuns
• [TEP-0042] Feedback for TaskRun debug mode #7352: [TEP-0042] Feedback for TaskRun debug mode (beta promotion tracker)
• TEP 0097: Add breakpoints, breakpoints.onFailure to debug and extend support to PipelineRun #5184: TEP 0097 tracking issue

/kind bug
/area api