root
472 lines
15 KiB
Go
472 lines
15 KiB
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package jobparser
|
|
|
|
import (
|
|
"maps"
|
|
"testing"
|
|
|
|
"gitea.com/gitea/runner/act/model"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"go.yaml.in/yaml/v4"
|
|
)
|
|
|
|
func TestParseWorkflowCallSpec(t *testing.T) {
|
|
t.Run("malformed YAML surfaces a parse error", func(t *testing.T) {
|
|
// Mismatched flow-sequence brackets — yaml.Unmarshal must reject this.
|
|
_, err := ParseWorkflowCallSpec([]byte(`name: bad
|
|
on: [workflow_call
|
|
jobs:
|
|
noop: { }
|
|
`))
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("workflow without on.workflow_call is rejected", func(t *testing.T) {
|
|
notCallable := []byte(`name: ordinary
|
|
on: push
|
|
jobs:
|
|
noop:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo
|
|
`)
|
|
_, err := ParseWorkflowCallSpec(notCallable)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "does not declare on.workflow_call")
|
|
})
|
|
|
|
t.Run("input missing the required type field is rejected", func(t *testing.T) {
|
|
content := callableWorkflow(t, `inputs:
|
|
x:
|
|
description: missing type
|
|
`)
|
|
_, err := ParseWorkflowCallSpec(content)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `missing required field "type"`)
|
|
})
|
|
|
|
t.Run("inputs/secrets/outputs are decoded", func(t *testing.T) {
|
|
content := callableWorkflow(t, `inputs:
|
|
env:
|
|
type: string
|
|
required: true
|
|
secrets:
|
|
DEPLOY_KEY:
|
|
required: true
|
|
outputs:
|
|
sha:
|
|
value: ${{ jobs.build.outputs.commit }}
|
|
`)
|
|
spec, err := ParseWorkflowCallSpec(content)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, InputTypeString, spec.Inputs["env"].Type)
|
|
assert.True(t, spec.Inputs["env"].Required)
|
|
assert.True(t, spec.Secrets["DEPLOY_KEY"].Required)
|
|
assert.Equal(t, "${{ jobs.build.outputs.commit }}", spec.Outputs["sha"].Value)
|
|
})
|
|
}
|
|
|
|
func TestEvaluateCallerWith(t *testing.T) {
|
|
t.Run("empty with: returns empty map", func(t *testing.T) {
|
|
out, err := EvaluateCallerWith("caller", &Job{}, nil, callerResults("caller", nil, nil), nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, out)
|
|
})
|
|
|
|
t.Run("non-string raw values pass through unchanged", func(t *testing.T) {
|
|
job := &Job{With: map[string]any{
|
|
"already_bool": true,
|
|
"already_int": 42,
|
|
"already_slice": []any{"a", "b"},
|
|
}}
|
|
out, err := EvaluateCallerWith("caller", job, nil, callerResults("caller", nil, nil), nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, true, out["already_bool"])
|
|
assert.Equal(t, 42, out["already_int"])
|
|
assert.Equal(t, []any{"a", "b"}, out["already_slice"])
|
|
})
|
|
|
|
t.Run("expressions resolve against vars/inputs/results", func(t *testing.T) {
|
|
job := &Job{With: map[string]any{
|
|
"env_name": "${{ vars.ENV }}",
|
|
"from_inputs": "${{ inputs.PARENT_VAR }}",
|
|
"from_needs": "${{ needs.upstream.outputs.commit }}",
|
|
}}
|
|
gitCtx := map[string]any{"event": map[string]any{}}
|
|
results := callerResults("caller", []string{"upstream"}, map[string]*JobResult{
|
|
"upstream": {Result: "success", Outputs: map[string]string{"commit": "abc123"}},
|
|
})
|
|
vars := map[string]string{"ENV": "staging"}
|
|
inputs := map[string]any{"PARENT_VAR": "from-parent"}
|
|
out, err := EvaluateCallerWith("caller", job, gitCtx, results, vars, inputs)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "staging", out["env_name"])
|
|
assert.Equal(t, "from-parent", out["from_inputs"])
|
|
assert.Equal(t, "abc123", out["from_needs"])
|
|
})
|
|
|
|
t.Run("matrix.X resolves to this caller row's matrix instance", func(t *testing.T) {
|
|
var rawMatrix yaml.Node
|
|
require.NoError(t, rawMatrix.Encode(map[string][]any{"target": {"staging"}}))
|
|
job := &Job{
|
|
With: map[string]any{"env": "${{ matrix.target }}"},
|
|
Strategy: Strategy{RawMatrix: rawMatrix},
|
|
}
|
|
out, err := EvaluateCallerWith("caller", job, nil, callerResults("caller", nil, nil), nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "staging", out["env"])
|
|
})
|
|
}
|
|
|
|
func TestMatchCallerInputsAgainstSpec(t *testing.T) {
|
|
// mustParseSpec wraps ParseWorkflowCallSpec for test brevity.
|
|
mustParseSpec := func(t *testing.T, content []byte) *WorkflowCallSpec {
|
|
t.Helper()
|
|
spec, err := ParseWorkflowCallSpec(content)
|
|
require.NoError(t, err)
|
|
return spec
|
|
}
|
|
|
|
t.Run("default is filled when caller does not provide the input", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
greeting:
|
|
type: string
|
|
default: hi
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]any{"greeting": "hi"}, out)
|
|
})
|
|
|
|
t.Run("caller-provided value wins over default", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
greeting:
|
|
type: string
|
|
default: hi
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, map[string]any{"greeting": "hello"})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]any{"greeting": "hello"}, out)
|
|
})
|
|
|
|
t.Run("required input must be provided", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
target:
|
|
type: string
|
|
required: true
|
|
`))
|
|
_, err := MatchCallerInputsAgainstSpec(spec, nil)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `"target" is required`)
|
|
})
|
|
|
|
t.Run("required input is satisfied by a default value", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
target:
|
|
type: string
|
|
required: true
|
|
default: prod
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]any{"target": "prod"}, out)
|
|
})
|
|
|
|
t.Run("boolean inputs accept native bool values and bool defaults", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
flag1:
|
|
type: boolean
|
|
flag2:
|
|
type: boolean
|
|
default: true
|
|
flag3:
|
|
type: boolean
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, map[string]any{
|
|
"flag1": true,
|
|
"flag3": false,
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, true, out["flag1"])
|
|
assert.Equal(t, true, out["flag2"]) // from default
|
|
assert.Equal(t, false, out["flag3"])
|
|
})
|
|
|
|
t.Run("boolean input rejects strings", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
flag:
|
|
type: boolean
|
|
`))
|
|
_, err := MatchCallerInputsAgainstSpec(spec, map[string]any{"flag": "true"})
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "expects boolean")
|
|
})
|
|
|
|
t.Run("number inputs accept native numeric values and number defaults", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
count:
|
|
type: number
|
|
ratio:
|
|
type: number
|
|
default: 0.5
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, map[string]any{"count": 42})
|
|
require.NoError(t, err)
|
|
assert.InDelta(t, 42.0, out["count"], 0)
|
|
assert.InDelta(t, 0.5, out["ratio"], 0)
|
|
})
|
|
|
|
t.Run("number input rejects strings", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
count:
|
|
type: number
|
|
`))
|
|
_, err := MatchCallerInputsAgainstSpec(spec, map[string]any{"count": "42"})
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "expects number")
|
|
})
|
|
|
|
t.Run("unknown caller-with key is silently dropped", func(t *testing.T) {
|
|
spec := mustParseSpec(t, callableWorkflow(t, `inputs:
|
|
known:
|
|
type: string
|
|
default: ok
|
|
`))
|
|
out, err := MatchCallerInputsAgainstSpec(spec, map[string]any{
|
|
"known": "yes",
|
|
"unknown": "ignored",
|
|
})
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]any{"known": "yes"}, out)
|
|
})
|
|
}
|
|
|
|
func TestParseCallerSecrets(t *testing.T) {
|
|
// secretYAMLNode unmarshals raw YAML text into a yaml.Node so tests can hand it to ParseCallerSecrets.
|
|
secretYAMLNode := func(t *testing.T, s string) yaml.Node {
|
|
t.Helper()
|
|
var node yaml.Node
|
|
require.NoError(t, yaml.Unmarshal([]byte(s), &node))
|
|
// yaml.Unmarshal wraps content in a DocumentNode; the meaningful node is the first child.
|
|
if node.Kind == yaml.DocumentNode && len(node.Content) > 0 {
|
|
return *node.Content[0]
|
|
}
|
|
return node
|
|
}
|
|
|
|
t.Run("zero node returns no inherit, no mapping", func(t *testing.T) {
|
|
inherit, mapping, err := ParseCallerSecrets(yaml.Node{})
|
|
require.NoError(t, err)
|
|
assert.False(t, inherit)
|
|
assert.Nil(t, mapping)
|
|
})
|
|
|
|
t.Run("\"inherit\" scalar sets inherit=true", func(t *testing.T) {
|
|
inherit, mapping, err := ParseCallerSecrets(secretYAMLNode(t, `inherit`))
|
|
require.NoError(t, err)
|
|
assert.True(t, inherit)
|
|
assert.Nil(t, mapping)
|
|
})
|
|
|
|
t.Run("non-inherit scalar is rejected", func(t *testing.T) {
|
|
_, _, err := ParseCallerSecrets(secretYAMLNode(t, `something-else`))
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "expected mapping or 'inherit'")
|
|
})
|
|
|
|
t.Run("mapping of secrets-style references is parsed", func(t *testing.T) {
|
|
inherit, mapping, err := ParseCallerSecrets(secretYAMLNode(t, `
|
|
DEPLOY_KEY: ${{ secrets.GITEA_DEPLOY_KEY }}
|
|
DB_PASS: ${{ secrets.PROD_DB_PASS }}
|
|
`))
|
|
require.NoError(t, err)
|
|
assert.False(t, inherit)
|
|
assert.Equal(t, map[string]string{
|
|
"DEPLOY_KEY": "GITEA_DEPLOY_KEY",
|
|
"DB_PASS": "PROD_DB_PASS",
|
|
}, mapping)
|
|
})
|
|
|
|
t.Run("alias and source names are upper-cased", func(t *testing.T) {
|
|
inherit, mapping, err := ParseCallerSecrets(secretYAMLNode(t, `
|
|
deploy_key: ${{ secrets.gitea_deploy_key }}
|
|
`))
|
|
require.NoError(t, err)
|
|
assert.False(t, inherit)
|
|
assert.Equal(t, map[string]string{"DEPLOY_KEY": "GITEA_DEPLOY_KEY"}, mapping)
|
|
})
|
|
|
|
t.Run("mapping value not in ${{ secrets.NAME }} form is rejected", func(t *testing.T) {
|
|
// plain string
|
|
_, _, err := ParseCallerSecrets(secretYAMLNode(t, `KEY: not-an-expression`))
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `must be of the form ${{ secrets.NAME }}`)
|
|
|
|
// expression but referencing the wrong context (vars instead of secrets)
|
|
_, _, err = ParseCallerSecrets(secretYAMLNode(t, `KEY: ${{ vars.NAME }}`))
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `must be of the form ${{ secrets.NAME }}`)
|
|
})
|
|
}
|
|
|
|
func TestValidateCallerSecrets(t *testing.T) {
|
|
specWith := func(secrets map[string]SecretSpec) *WorkflowCallSpec {
|
|
return &WorkflowCallSpec{Secrets: secrets}
|
|
}
|
|
|
|
t.Run("explicit mapping with all required + only declared aliases is accepted", func(t *testing.T) {
|
|
spec := specWith(map[string]SecretSpec{
|
|
"DEPLOY_KEY": {Required: true},
|
|
"OPTIONAL": {},
|
|
})
|
|
mapping := map[string]string{
|
|
"DEPLOY_KEY": "PROD_DEPLOY_KEY",
|
|
"OPTIONAL": "SOMETHING_ELSE",
|
|
}
|
|
require.NoError(t, ValidateCallerSecrets(spec, mapping))
|
|
})
|
|
|
|
t.Run("alias not in callee schema is rejected", func(t *testing.T) {
|
|
spec := specWith(map[string]SecretSpec{"DEPLOY_KEY": {}})
|
|
mapping := map[string]string{
|
|
"DEPLOY_KEY": "PROD_DEPLOY_KEY",
|
|
"EXTRA": "SOMETHING_NOT_DECLARED",
|
|
}
|
|
err := ValidateCallerSecrets(spec, mapping)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `caller secret "EXTRA"`)
|
|
assert.Contains(t, err.Error(), `not declared`)
|
|
})
|
|
|
|
t.Run("missing required secret is rejected", func(t *testing.T) {
|
|
spec := specWith(map[string]SecretSpec{
|
|
"MUST_HAVE": {Required: true},
|
|
"OPTIONAL": {},
|
|
})
|
|
mapping := map[string]string{"OPTIONAL": "X"}
|
|
err := ValidateCallerSecrets(spec, mapping)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `required secret "MUST_HAVE"`)
|
|
assert.Contains(t, err.Error(), `not provided`)
|
|
})
|
|
|
|
t.Run("callee with no secrets schema accepts an empty mapping", func(t *testing.T) {
|
|
spec := specWith(map[string]SecretSpec{})
|
|
require.NoError(t, ValidateCallerSecrets(spec, nil))
|
|
require.NoError(t, ValidateCallerSecrets(spec, map[string]string{}))
|
|
})
|
|
|
|
t.Run("callee with no secrets schema rejects a non-empty mapping", func(t *testing.T) {
|
|
spec := specWith(map[string]SecretSpec{})
|
|
err := ValidateCallerSecrets(spec, map[string]string{"X": "Y"})
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `caller secret "X"`)
|
|
})
|
|
|
|
t.Run("name matching is case-insensitive", func(t *testing.T) {
|
|
// declared name and caller alias differ only in case; both should match.
|
|
spec := specWith(map[string]SecretSpec{"deploy_key": {Required: true}})
|
|
mapping := map[string]string{"DEPLOY_KEY": "PROD_DEPLOY_KEY"}
|
|
require.NoError(t, ValidateCallerSecrets(spec, mapping))
|
|
})
|
|
|
|
t.Run("nil spec is rejected", func(t *testing.T) {
|
|
err := ValidateCallerSecrets(nil, map[string]string{"X": "Y"})
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), "nil workflow_call spec")
|
|
})
|
|
}
|
|
|
|
func TestEvaluateWorkflowCallOutputs(t *testing.T) {
|
|
t.Run("nil spec returns empty map", func(t *testing.T) {
|
|
out, err := EvaluateWorkflowCallOutputs(nil, &model.GithubContext{}, nil, nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, out)
|
|
})
|
|
|
|
t.Run("spec with no outputs returns empty map", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{}}
|
|
out, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, nil, nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Empty(t, out)
|
|
})
|
|
|
|
t.Run("plain string value passes through unchanged", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{
|
|
"name": {Value: "static-value"},
|
|
}}
|
|
out, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, nil, nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]string{"name": "static-value"}, out)
|
|
})
|
|
|
|
t.Run("output references jobs.<id>.outputs.<name>", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{
|
|
"sha": {Value: "${{ jobs.build.outputs.commit }}"},
|
|
}}
|
|
jobOutputs := JobOutputs{
|
|
"build": {"commit": "deadbeef"},
|
|
}
|
|
out, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, nil, nil, jobOutputs)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "deadbeef", out["sha"])
|
|
})
|
|
|
|
t.Run("output references inputs.<name>", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{
|
|
"target": {Value: "${{ inputs.env_name }}"},
|
|
}}
|
|
inputs := map[string]any{"env_name": "staging"}
|
|
out, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, nil, inputs, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "staging", out["target"])
|
|
})
|
|
|
|
t.Run("multiple outputs are all evaluated", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{
|
|
"static": {Value: "static-value"},
|
|
"dynamic": {Value: "${{ vars.SUFFIX }}"},
|
|
}}
|
|
vars := map[string]string{"SUFFIX": "abc"}
|
|
out, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, vars, nil, nil)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "static-value", out["static"])
|
|
assert.Equal(t, "abc", out["dynamic"])
|
|
})
|
|
|
|
t.Run("expression referencing an undefined symbol surfaces an error", func(t *testing.T) {
|
|
spec := &WorkflowCallSpec{Outputs: map[string]OutputSpec{
|
|
"bad": {Value: "${{ this.is.not.valid() }}"},
|
|
}}
|
|
_, err := EvaluateWorkflowCallOutputs(spec, &model.GithubContext{}, nil, nil, nil)
|
|
require.Error(t, err)
|
|
assert.Contains(t, err.Error(), `output "bad"`)
|
|
})
|
|
}
|
|
|
|
// callableWorkflow returns a minimal valid called-workflow YAML with on.workflow_call.
|
|
func callableWorkflow(t *testing.T, body string) []byte {
|
|
t.Helper()
|
|
return []byte(`name: callable
|
|
on:
|
|
workflow_call:
|
|
` + body + `
|
|
jobs:
|
|
noop:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: "echo"
|
|
`)
|
|
}
|
|
|
|
// callerResults returns the minimum results map shape that NewInterpeter expects
|
|
func callerResults(callerJobID string, callerNeeds []string, deps map[string]*JobResult) map[string]*JobResult {
|
|
out := make(map[string]*JobResult, len(deps)+1)
|
|
maps.Copy(out, deps)
|
|
out[callerJobID] = &JobResult{Needs: callerNeeds}
|
|
return out
|
|
}
|