Merge branch 'main' into robertbrignull/recursive_sarif_test

lib/actions-util.js

@@ -166,10 +166,12 @@ exports.WorkflowErrors = toCodedErrors({
 function validateWorkflow(doc) {
     var _a, _b, _c, _d, _e, _f, _g, _h;
     const errors = [];
-    // .jobs[key].steps[].run
+    const jobName = process.env.GITHUB_JOB;
-    for (const job of Object.values(((_a = doc) === null || _a === void 0 ? void 0 : _a.jobs) || {})) {
+    if (jobName) {
-        if (Array.isArray((_b = job) === null || _b === void 0 ? void 0 : _b.steps)) {
+        const job = (_b = (_a = doc) === null || _a === void 0 ? void 0 : _a.jobs) === null || _b === void 0 ? void 0 : _b[jobName];
-            for (const step of (_c = job) === null || _c === void 0 ? void 0 : _c.steps) {
+        const steps = (_c = job) === null || _c === void 0 ? void 0 : _c.steps;
+        if (Array.isArray(steps)) {
+            for (const step of steps) {
                 // this was advice that we used to give in the README
                 // we actually want to run the analysis on the merge commit
                 // to produce results that are more inline with expectations
@@ -177,6 +179,7 @@ function validateWorkflow(doc) {
                 // and avoid some race conditions
                 if (((_d = step) === null || _d === void 0 ? void 0 : _d.run) === "git checkout HEAD^2") {
                     errors.push(exports.WorkflowErrors.CheckoutWrongHead);
+                    break;
                 }
             }
         }

lib/actions-util.test.js

@@ -242,6 +242,7 @@ ava_1.default("validateWorkflow() when on.pull_request for mismatched wildcard b
     t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
 });
 ava_1.default("validateWorkflow() when HEAD^2 is checked out", (t) => {
+    process.env.GITHUB_JOB = "test";
     const errors = actionsutil.validateWorkflow({
         on: ["push", "pull_request"],
         jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
@@ -314,4 +315,52 @@ on:
 `));
     t.deepEqual(errors, []);
 });
+ava_1.default("validateWorkflow() should only report the current job's CheckoutWrongHead", (t) => {
+    process.env.GITHUB_JOB = "test";
+    const errors = actionsutil.validateWorkflow(yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`));
+    t.deepEqual(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]);
+});
+ava_1.default("validateWorkflow() should not report a different job's CheckoutWrongHead", (t) => {
+    process.env.GITHUB_JOB = "test3";
+    const errors = actionsutil.validateWorkflow(yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`));
+    t.deepEqual(errors, []);
+});
 //# sourceMappingURL=actions-util.test.js.map

src/actions-util.test.ts

@@ -336,6 +336,8 @@ test("validateWorkflow() when on.pull_request for mismatched wildcard branches",
 });
 
 test("validateWorkflow() when HEAD^2 is checked out", (t) => {
+  process.env.GITHUB_JOB = "test";
+
   const errors = actionsutil.validateWorkflow({
     on: ["push", "pull_request"],
     jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
@@ -432,3 +434,61 @@ on:
 
   t.deepEqual(errors, []);
 });
+
+test("validateWorkflow() should only report the current job's CheckoutWrongHead", (t) => {
+  process.env.GITHUB_JOB = "test";
+
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`)
+  );
+
+  t.deepEqual(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]);
+});
+
+test("validateWorkflow() should not report a different job's CheckoutWrongHead", (t) => {
+  process.env.GITHUB_JOB = "test3";
+
+  const errors = actionsutil.validateWorkflow(
+    yaml.safeLoad(`
+name: "CodeQL"
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+jobs:
+  test:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test2:
+    steps:
+      - run: "git checkout HEAD^2"
+
+  test3:
+    steps: []
+`)
+  );
+
+  t.deepEqual(errors, []);
+});

src/actions-util.ts

@@ -211,10 +211,15 @@ export const WorkflowErrors = toCodedErrors({
 export function validateWorkflow(doc: Workflow): CodedError[] {
   const errors: CodedError[] = [];
 
-  // .jobs[key].steps[].run
+  const jobName = process.env.GITHUB_JOB;
-  for (const job of Object.values(doc?.jobs || {})) {
+
-    if (Array.isArray(job?.steps)) {
+  if (jobName) {
-      for (const step of job?.steps) {
+    const job = doc?.jobs?.[jobName];
+
+    const steps = job?.steps;
+
+    if (Array.isArray(steps)) {
+      for (const step of steps) {
         // this was advice that we used to give in the README
         // we actually want to run the analysis on the merge commit
         // to produce results that are more inline with expectations
@@ -222,6 +227,7 @@ export function validateWorkflow(doc: Workflow): CodedError[] {
         // and avoid some race conditions
         if (step?.run === "git checkout HEAD^2") {
           errors.push(WorkflowErrors.CheckoutWrongHead);
+          break;
         }
       }
     }