nektos · cplee · Jul 11, 2023 · May 13, 2023 · May 14, 2023 · May 15, 2023
@@ -58,8 +58,8 @@
 func (w *Workflow) OnEvent(event string) interface{} {
 	if w.RawOn.Kind == yaml.MappingNode {
 		var val map[string]interface{}
 		if !decodeNode(w.RawOn, &val) {
 			return nil
 		}
 		return val[event]
 	}
@@ -84,14 +84,14 @@
 	}

 	var val map[string]yaml.Node
 	if !decodeNode(w.RawOn, &val) {
 		return nil
 	}

 	var config WorkflowDispatch
 	node := val["workflow_dispatch"]
 	if !decodeNode(node, &config) {
 		return nil
 	}

 	return &config
@@ -120,19 +120,19 @@

 func (w *Workflow) WorkflowCallConfig() *WorkflowCall {
 	if w.RawOn.Kind != yaml.MappingNode {
 		// The callers expect for "on: workflow_call" and "on: [ workflow_call ]" a non nil return value
 		return &WorkflowCall{}
 	}

 	var val map[string]yaml.Node
 	if !decodeNode(w.RawOn, &val) {
 		return &WorkflowCall{}
 	}

 	var config WorkflowCall
 	node := val["workflow_call"]
 	if !decodeNode(node, &config) {
 		return &WorkflowCall{}
 	}

 	return &config
@@ -215,8 +215,8 @@
 	}

 	var val string
 	if !decodeNode(j.RawSecrets, &val) {
 		return false
 	}

 	return val == "inherit"
@@ -228,8 +228,8 @@
 	}

 	var val map[string]string
 	if !decodeNode(j.RawSecrets, &val) {
 		return nil
 	}

 	return val
@@ -242,12 +242,12 @@
 	case yaml.ScalarNode:
 		val = new(ContainerSpec)
 		if !decodeNode(j.RawContainer, &val.Image) {
 			return nil
 		}
 	case yaml.MappingNode:
 		val = new(ContainerSpec)
 		if !decodeNode(j.RawContainer, val) {
 			return nil
 		}
 	}
 	return val
@@ -258,14 +258,14 @@
 	switch j.RawNeeds.Kind {
 	case yaml.ScalarNode:
 		var val string
 		if !decodeNode(j.RawNeeds, &val) {
 			return nil
 		}
 		return []string{val}
 	case yaml.SequenceNode:
 		var val []string
 		if !decodeNode(j.RawNeeds, &val) {
 			return nil
 		}
 		return val
 	}
@@ -277,14 +277,14 @@
 	switch j.RawRunsOn.Kind {
 	case yaml.ScalarNode:
 		var val string
 		if !decodeNode(j.RawRunsOn, &val) {
 			return nil
 		}
 		return []string{val}
 	case yaml.SequenceNode:
 		var val []string
 		if !decodeNode(j.RawRunsOn, &val) {
 			return nil
 		}
 		return val
 	}
@@ -294,8 +294,8 @@
 func environment(yml yaml.Node) map[string]string {
 	env := make(map[string]string)
 	if yml.Kind == yaml.MappingNode {
 		if !decodeNode(yml, &env) {
 			return nil
 		}
 	}
 	return env
@@ -311,7 +311,7 @@
 	if j.Strategy.RawMatrix.Kind == yaml.MappingNode {
 		var val map[string][]interface{}
 		if !decodeNode(j.Strategy.RawMatrix, &val) {
 			return nil
 		}
 		return val
 	}
@@ -373,7 +373,7 @@
 						excludes = append(excludes, e)
 					} else {
 						// We fail completely here because that's what GitHub does for non-existing matrix keys, fail on exclude, silent skip on include
 						return nil, fmt.Errorf("the workflow is not valid. Matrix exclude key %q does not match any key within the matrix", k)
 					}
 				}
 			}
@@ -444,14 +444,17 @@
 type JobType int
 
 const (
-	// StepTypeRun is all steps that have a `run` attribute
+	// JobTypeDefault is all jobs that have a `run` attribute
 	JobTypeDefault JobType = iota
 
-	// StepTypeReusableWorkflowLocal is all steps that have a `uses` that is a local workflow in the .github/workflows directory
+	// JobTypeReusableWorkflowLocal is all jobs that have a `uses` that is a local workflow in the .github/workflows directory
 	JobTypeReusableWorkflowLocal
 
-	// JobTypeReusableWorkflowRemote is all steps that have a `uses` that references a workflow file in a github repo
+	// JobTypeReusableWorkflowRemote is all jobs that have a `uses` that references a workflow file in a github repo
 	JobTypeReusableWorkflowRemote
+
+	// JobTypeInvalid represents a job which is not configured correctly
+	JobTypeInvalid
 )
 
 func (j JobType) String() string {
@@ -467,13 +470,28 @@
 }
 
 // Type returns the type of the job
-func (j *Job) Type() JobType {
-	if strings.HasPrefix(j.Uses, "./.github/workflows") && (strings.HasSuffix(j.Uses, ".yml") || strings.HasSuffix(j.Uses, ".yaml")) {
-		return JobTypeReusableWorkflowLocal
-	} else if !strings.HasPrefix(j.Uses, "./") && strings.Contains(j.Uses, ".github/workflows") && (strings.Contains(j.Uses, ".yml@") || strings.Contains(j.Uses, ".yaml@")) {
-		return JobTypeReusableWorkflowRemote
+func (j *Job) Type() (JobType, error) {
+	isReusable := j.Uses != ""
+
+	if isReusable {
+		isYaml, _ := regexp.MatchString(`\.(ya?ml)(?:$|@)`, j.Uses)
+
+		if isYaml {
+			isLocalPath := strings.HasPrefix(j.Uses, "./.github/workflows/")
+			isRemotePath := strings.Contains(j.Uses, "/.github/workflows/")
+			hasVersion, _ := regexp.MatchString(`\.ya?ml@`, j.Uses)
+
+			if isLocalPath {
+				return JobTypeReusableWorkflowLocal, nil
+			} else if isRemotePath && hasVersion {
+				return JobTypeReusableWorkflowRemote, nil
+			}
+		}
+
+		return JobTypeInvalid, fmt.Errorf("`uses` key references invalid workflow path '%s'. Must start with './.github/workflows/' if it's a local workflow, or must start with '<org>/<repo>/.github/workflows/' and include an '@' if it's a remote workflow", j.Uses)
 	}
-	return JobTypeDefault
+
+	return JobTypeDefault, nil
 }
 
 // ContainerSpec is the specification of the container to use for the job
@@ -659,16 +677,16 @@
 	return ids
 }

 var OnDecodeNodeError = func(node yaml.Node, out interface{}, err error) {
 	log.Fatalf("Failed to decode node %v into %T: %v", node, out, err)
 }

 func decodeNode(node yaml.Node, out interface{}) bool {
 	if err := node.Decode(out); err != nil {
 		if OnDecodeNodeError != nil {
 			OnDecodeNodeError(node, out, err)
 		}
 		return false
 	}
 	return true
 }
@@ -138,6 +138,7 @@ jobs:
 	})
 }
 
+//nolint:dupl
 func TestReadWorkflow_JobTypes(t *testing.T) {
 	yaml := `
 name: invalid job definition
@@ -147,20 +148,82 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo
-  remote-reusable-workflow:
-    runs-on: ubuntu-latest
+  remote-reusable-workflow-yml:
     uses: remote/repo/.github/workflows/workflow.yml@main
-  local-reusable-workflow:
-    runs-on: ubuntu-latest
+  remote-reusable-workflow-yaml:
+    uses: remote/repo/.github/workflows/workflow.yaml@main
+  local-reusable-workflow-yml:
     uses: ./.github/workflows/workflow.yml
+  local-reusable-workflow-yaml:
+    uses: ./.github/workflows/workflow.yaml
+`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	assert.Len(t, workflow.Jobs, 5)
+
+	job, err := workflow.Jobs["default-job"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeDefault, job)
+
+	job, err = workflow.Jobs["remote-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, job)
+
+	job, err = workflow.Jobs["remote-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, job)
+
+	job, err = workflow.Jobs["local-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, job)
+
+	job, err = workflow.Jobs["local-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, job)
+}
+
+//nolint:dupl
+func TestReadWorkflow_JobTypes_InvalidPath(t *testing.T) {
+	yaml := `
+name: invalid job definition
+
+jobs:
+  remote-reusable-workflow-missing-version:
+    uses: remote/repo/.github/workflows/workflow.yml
+  remote-reusable-workflow-bad-extension:
+    uses: remote/repo/.github/workflows/workflow.json
+  remote-reusable-workflow-bad-path:
+    uses: remote/repo/github/workflows/workflow.yaml@main
+  local-reusable-workflow-bad-extension:
+    uses: ./.github/workflows/workflow.json
+  local-reusable-workflow-bad-path:
+    uses: ./.github/workflow/workflow.yaml
 `
 
 	workflow, err := ReadWorkflow(strings.NewReader(yaml))
 	assert.NoError(t, err, "read workflow should succeed")
-	assert.Len(t, workflow.Jobs, 3)
-	assert.Equal(t, workflow.Jobs["default-job"].Type(), JobTypeDefault)
-	assert.Equal(t, workflow.Jobs["remote-reusable-workflow"].Type(), JobTypeReusableWorkflowRemote)
-	assert.Equal(t, workflow.Jobs["local-reusable-workflow"].Type(), JobTypeReusableWorkflowLocal)
+	assert.Len(t, workflow.Jobs, 5)
+
+	job, err := workflow.Jobs["remote-reusable-workflow-missing-version"].Type()
+	assert.Equal(t, JobTypeInvalid, job)
+	assert.NotEqual(t, nil, err)
+
+	job, err = workflow.Jobs["remote-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, job)
+	assert.NotEqual(t, nil, err)
+
+	job, err = workflow.Jobs["remote-reusable-workflow-bad-path"].Type()
+	assert.Equal(t, JobTypeInvalid, job)
+	assert.NotEqual(t, nil, err)
+
+	job, err = workflow.Jobs["local-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, job)
+	assert.NotEqual(t, nil, err)
+
+	job, err = workflow.Jobs["local-reusable-workflow-bad-path"].Type()
+	assert.Equal(t, JobTypeInvalid, job)
+	assert.NotEqual(t, nil, err)
 }
 
 func TestReadWorkflow_StepsTypes(t *testing.T) {

@@ -89,18 +89,18 @@

 func getDockerDaemonSocketMountPath(daemonPath string) string {
 	if protoIndex := strings.Index(daemonPath, "://"); protoIndex != -1 {
 		scheme := daemonPath[:protoIndex]
 		if strings.EqualFold(scheme, "npipe") {
 			// linux container mount on windows, use the default socket path of the VM / wsl2
 			return "/var/run/docker.sock"
 		} else if strings.EqualFold(scheme, "unix") {
 			return daemonPath[protoIndex+3:]
 		} else if strings.IndexFunc(scheme, func(r rune) bool {
 			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
 		}) == -1 {
 			// unknown protocol use default
 			return "/var/run/docker.sock"
 		}
 	}
 	return daemonPath
 }
@@ -319,11 +319,11 @@
 	if rc.ExtraPath != nil && len(rc.ExtraPath) > 0 {
 		path := rc.JobContainer.GetPathVariableName()
 		if rc.JobContainer.IsEnvironmentCaseInsensitive() {
 			// On windows system Path and PATH could also be in the map
 			for k := range *env {
 				if strings.EqualFold(path, k) {
 					path = k
 					break
 				}
 			}
 		}
@@ -336,8 +336,8 @@
 				}
 			}
 			if len(cpath) == 0 {
 				cpath = rc.JobContainer.DefaultPathVariable()
 			}
 			(*env)[path] = cpath
 		}
 		(*env)[path] = rc.JobContainer.JoinPathVariable(append(rc.ExtraPath, (*env)[path])...)
@@ -389,8 +389,8 @@
 		if home, err := os.UserHomeDir(); err == nil {
 			xdgCache = filepath.Join(home, ".cache")
 		} else if xdgCache, err = filepath.Abs("."); err != nil {
 			// It's almost impossible to get here, so the temp dir is a good fallback
 			xdgCache = os.TempDir()
 		}
 	}
 	return filepath.Join(xdgCache, "act")
@@ -451,16 +451,19 @@
 }
 
 // Executor returns a pipeline executor for all the steps in the job
-func (rc *RunContext) Executor() common.Executor {
+func (rc *RunContext) Executor() (common.Executor, error) {
 	var executor common.Executor
+	var jobType, err = rc.Run.Job().Type()
 
-	switch rc.Run.Job().Type() {
+	switch jobType {
 	case model.JobTypeDefault:
 		executor = newJobExecutor(rc, &stepFactoryImpl{}, rc)
 	case model.JobTypeReusableWorkflowLocal:
 		executor = newLocalReusableWorkflowExecutor(rc)
 	case model.JobTypeReusableWorkflowRemote:
 		executor = newRemoteReusableWorkflowExecutor(rc)
+	case model.JobTypeInvalid:
+		return nil, err
 	}
 
 	return func(ctx context.Context) error {
@@ -472,7 +475,7 @@
 			return executor(ctx)
 		}
 		return nil
-	}
+	}, nil
 }
 
 func (rc *RunContext) containerImage(ctx context.Context) string {
@@ -525,16 +528,21 @@
 func (rc *RunContext) isEnabled(ctx context.Context) (bool, error) {
 	job := rc.Run.Job()
 	l := common.Logger(ctx)
-	runJob, err := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
-	if err != nil {
-		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, err)
+	runJob, runJobErr := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
+	jobType, jobTypeErr := job.Type()
+
+	if runJobErr != nil {
+		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, runJobErr)
 	}
+
 	if !runJob {
 		l.WithField("jobResult", "skipped").Debugf("Skipping job '%s' due to '%s'", job.Name, job.If.Value)
 		return false, nil
 	}
 
-	if job.Type() != model.JobTypeDefault {
+	if jobType == model.JobTypeInvalid {
+		return false, jobTypeErr
+	} else if jobType != model.JobTypeDefault {
 		return true, nil
 	}
 
@@ -687,13 +695,13 @@
 	}
 	// allow to be overridden by user
 	if rc.Config.Env["GITHUB_SERVER_URL"] != "" {
 		ghc.ServerURL = rc.Config.Env["GITHUB_SERVER_URL"]
 	}
 	if rc.Config.Env["GITHUB_API_URL"] != "" {
 		ghc.APIURL = rc.Config.Env["GITHUB_API_URL"]
 	}
 	if rc.Config.Env["GITHUB_GRAPHQL_URL"] != "" {
 		ghc.GraphQLURL = rc.Config.Env["GITHUB_GRAPHQL_URL"]
 	}

 	return ghc
@@ -799,7 +807,7 @@
 func setActionRuntimeVars(rc *RunContext, env map[string]string) {
 	actionsRuntimeURL := os.Getenv("ACTIONS_RUNTIME_URL")
 	if actionsRuntimeURL == "" {
 		actionsRuntimeURL = fmt.Sprintf("http://%s:%s/", rc.Config.ArtifactServerAddr, rc.Config.ArtifactServerPort)
 	}
 	env["ACTIONS_RUNTIME_URL"] = actionsRuntimeURL


@@ -91,8 +91,8 @@
 		}
 		eventJSON, err := json.Marshal(eventMap)
 		if err != nil {
 			return nil, err
 		}
 		runner.eventJSON = string(eventJSON)
 	}
 	return runner, nil
@@ -120,7 +120,7 @@

 				var matrixes []map[string]interface{}
 				if m, err := job.GetMatrixes(); err != nil {
 					log.Errorf("Error while get job's matrix: %v", err)
 				} else {
 					matrixes = selectMatrixes(m, runner.config.Matrix)
 				}
@@ -147,7 +147,13 @@
 					}
 					stageExecutor = append(stageExecutor, func(ctx context.Context) error {
 						jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String())
-						return rc.Executor()(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
+						executor, err := rc.Executor()
+
+						if err != nil {
+							return err
+						}
+
+						return executor(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
 					})
 				}
 				pipeline = append(pipeline, common.NewParallelExecutor(maxParallel, stageExecutor...))