Add rule validation to catch invalid patterns before container startup

dash14 · dash14 · commit 4a3f702716f0 · 2026-03-08T21:44:08.000+09:00
- convert-rule.mjs: catch errors and output clean message to stderr
  instead of exposing QuickJS stack traces
- setup/main.mjs: validate rules via buildRules() so invalid patterns
  are reported as ::error:: annotations in GitHub Actions before
  attempting to start the container
diff --git a/docker/files/tools/convert-rule.mjs b/docker/files/tools/convert-rule.mjs
@@ -7,7 +7,13 @@ import * as std from "std";
 import { buildRules } from "./lib/rules.mjs";
 
 const input = std.in.readAsString();
-const regexRules = buildRules(input);
-if (regexRules.length > 0) {
-  std.out.puts(regexRules.join("\n") + "\n");
+
+try {
+  const regexRules = buildRules(input);
+  if (regexRules.length > 0) {
+    std.out.puts(regexRules.join("\n") + "\n");
+  }
+} catch (e) {
+  std.err.puts(`${e.message}\n`);
+  std.exit(1);
 }
diff --git a/setup/main.mjs b/setup/main.mjs
@@ -3,6 +3,7 @@ import { appendFileSync } from "node:fs";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { buildLegacyRules } from "./lib/legacy-rules.mjs";
+import { buildRules } from "../docker/files/tools/lib/rules.mjs";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const composeFile = join(__dirname, "compose.yml");
@@ -123,10 +124,13 @@ function resolveImageTag(repository, { versionInput, actionRef }) {
  * @returns {{ httpsRules: string[], httpRules: string[], ipRules: string[] }}
  */
 function buildACLRules({ httpsRulesInput, httpRulesInput, ipRulesInput, httpsDomainsInput, httpDomainsInput, httpsPortsInput, httpPortsInput }) {
-  // New-style rules: pass through as-is (wildcard format)
+  // New-style rules: pass through as-is (wildcard format), validate by converting to regex
   const httpsRules = httpsRulesInput?.trim().split(/\s+/).filter(Boolean) ?? [];
   const httpRules = httpRulesInput?.trim().split(/\s+/).filter(Boolean) ?? [];
   const ipRules = ipRulesInput?.trim().split(/\s+/).filter(Boolean) ?? [];
+  buildRules(httpsRulesInput);
+  buildRules(httpRulesInput);
+  buildRules(ipRulesInput);
 
   // Legacy rules (converted to wildcard format)
   const httpsLegacy = buildLegacyRules({
