-
Notifications
You must be signed in to change notification settings - Fork 163
/
rule_workflow_call.go
192 lines (170 loc) · 5.15 KB
/
rule_workflow_call.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
package actionlint
import (
"fmt"
"strings"
)
// RuleWorkflowCall is a rule checker to check workflow call at jobs.<job_id>.
type RuleWorkflowCall struct {
RuleBase
workflowCallEventPos *Pos
workflowPath string
cache *LocalReusableWorkflowCache
}
// NewRuleWorkflowCall creates a new RuleWorkflowCall instance. 'workflowPath' is a file path to
// the workflow which is relative to a project root directory or an absolute path.
func NewRuleWorkflowCall(workflowPath string, cache *LocalReusableWorkflowCache) *RuleWorkflowCall {
return &RuleWorkflowCall{
RuleBase: RuleBase{
name: "workflow-call",
desc: "Checks for reusable workflow calls. Inputs and outputs of called reusable workflow are checked",
},
workflowCallEventPos: nil,
workflowPath: workflowPath,
cache: cache,
}
}
// VisitWorkflowPre is callback when visiting Workflow node before visiting its children.
func (rule *RuleWorkflowCall) VisitWorkflowPre(n *Workflow) error {
for _, e := range n.On {
if e, ok := e.(*WorkflowCallEvent); ok {
rule.workflowCallEventPos = e.Pos
// Register this reusable workflow in cache so that it does not need to parse this workflow
// file again when this workflow is called by other workflows.
rule.cache.WriteWorkflowCallEvent(rule.workflowPath, e)
break
}
}
return nil
}
// VisitJobPre is callback when visiting Job node before visiting its children.
func (rule *RuleWorkflowCall) VisitJobPre(n *Job) error {
if n.WorkflowCall == nil {
return nil
}
u := n.WorkflowCall.Uses
if u == nil || u.Value == "" || u.ContainsExpression() {
return nil
}
if isWorkflowCallUsesLocalFormat(u.Value) {
rule.checkWorkflowCallUsesLocal(n.WorkflowCall)
return nil
}
if isWorkflowCallUsesRepoFormat(u.Value) {
return nil
}
if strings.HasPrefix(u.Value, "./") {
// When the specification is invalid and it is local reusable workflow call, remember it caused
// an error by setting `nil` to cache. This can prevent redundant 'could not read workflow call'
// error.
rule.cache.writeCache(u.Value, nil)
}
rule.Errorf(
u.Pos,
"reusable workflow call %q at \"uses\" is not following the format \"owner/repo/path/to/workflow.yml@ref\" nor \"./path/to/workflow.yml\". see https://docs.github.com/en/actions/learn-github-actions/reusing-workflows for more details",
u.Value,
)
return nil
}
func (rule *RuleWorkflowCall) checkWorkflowCallUsesLocal(call *WorkflowCall) {
u := call.Uses
m, err := rule.cache.FindMetadata(u.Value)
if err != nil {
rule.Error(u.Pos, err.Error())
return
}
if m == nil {
rule.Debug("Skip workflow call %q since no metadata was found", u.Value)
return
}
// Validate inputs
for n, i := range m.Inputs {
if i != nil && i.Required {
if _, ok := call.Inputs[n]; !ok {
rule.Errorf(u.Pos, "input %q is required by %q reusable workflow", i.Name, u.Value)
}
}
}
for n, i := range call.Inputs {
if _, ok := m.Inputs[n]; !ok {
note := "no input is defined"
if len(m.Inputs) > 0 {
is := make([]string, 0, len(m.Inputs))
for _, i := range m.Inputs {
is = append(is, i.Name)
}
if len(is) == 1 {
note = fmt.Sprintf("defined input is %q", is[0])
} else {
note = "defined inputs are " + sortedQuotes(is)
}
}
rule.Errorf(i.Name.Pos, "input %q is not defined in %q reusable workflow. %s", i.Name.Value, u.Value, note)
}
}
// Validate secrets
if !call.InheritSecrets {
for n, s := range m.Secrets {
if s.Required {
if _, ok := call.Secrets[n]; !ok {
rule.Errorf(u.Pos, "secret %q is required by %q reusable workflow", s.Name, u.Value)
}
}
}
for n, s := range call.Secrets {
if _, ok := m.Secrets[n]; !ok {
note := "no secret is defined"
if len(m.Secrets) > 0 {
ss := make([]string, 0, len(m.Secrets))
for _, s := range m.Secrets {
ss = append(ss, s.Name)
}
if len(ss) == 1 {
note = fmt.Sprintf("defined secret is %q", ss[0])
} else {
note = "defined secrets are " + sortedQuotes(ss)
}
}
rule.Errorf(s.Name.Pos, "secret %q is not defined in %q reusable workflow. %s", s.Name.Value, u.Value, note)
}
}
}
rule.Debug("Validated reusable workflow %q", u.Value)
}
// Parse ./{path/{filename}
// https://docs.github.com/en/actions/learn-github-actions/reusing-workflows#calling-a-reusable-workflow
func isWorkflowCallUsesLocalFormat(u string) bool {
if !strings.HasPrefix(u, "./") {
return false
}
u = strings.TrimPrefix(u, "./")
// Cannot container a ref
idx := strings.IndexRune(u, '@')
if idx > 0 {
return false
}
return len(u) > 0
}
// Parse {owner}/{repo}/{path to workflow.yml}@{ref}
// https://docs.github.com/en/actions/learn-github-actions/reusing-workflows#calling-a-reusable-workflow
func isWorkflowCallUsesRepoFormat(u string) bool {
// Repo reference must start with owner
if strings.HasPrefix(u, ".") {
return false
}
idx := strings.IndexRune(u, '/')
if idx <= 0 {
return false
}
u = u[idx+1:] // Eat owner
idx = strings.IndexRune(u, '/')
if idx <= 0 {
return false
}
u = u[idx+1:] // Eat repo
idx = strings.IndexRune(u, '@')
if idx <= 0 {
return false
}
u = u[idx+1:] // Eat workflow path
return len(u) > 0
}