Skip to content

Debug beforeSteps accepts nonexistent step names without warning #9720

@waveywaves

Description

@waveywaves

Expected Behavior

When a user specifies step names in debug.breakpoints.beforeSteps, those names should be validated against the actual step names in the Task spec. If a step name doesn't exist, the user should receive a validation error.

Actual Behavior

In pkg/apis/pipeline/v1/taskrun_validation.go (lines 284-290), the validation checks for duplicate beforeSteps entries but never validates that the step names actually exist in the Task spec.

A user can write:

spec:
  debug:
    breakpoints:
      onFailure: enabled
      beforeSteps:
        - nonexistent-step

This passes validation silently. At runtime, NeedsDebugBeforeStep checks against container names and no container matches, so the breakpoint never fires. The user gets zero feedback about the misconfiguration.

Proposed Fix

Validate beforeSteps entries against the resolved Task spec's step names during TaskRun validation (similar to how param names are validated against Task param declarations).

Note: This validation may need to happen at reconcile time rather than webhook time, since the Task spec may not be available during admission (e.g., when using remote resolution).

Related

/kind bug
/area api

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/apiIndicates an issue or PR that deals with the API.kind/bugCategorizes issue or PR as related to a bug.

    Type

    Projects

    Status

    In Progress

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions