robojerk/codeql-action

Add a function that can lint a CodeQL action workflow

Browse source
This commit is contained in:
Simon Engledew 2020-11-23 17:29:19 +00:00
parent b15854c9af
commit 7eb9dfcc60
No known key found for this signature in database
GPG key ID: 84302E7B02FE8BCE
6 changed files with 417 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

81
lib/actions-util.js generated
View file

@ -96,6 +96,87 @@ exports.getCommitOid = async function () {
return getRequiredEnvParam("GITHUB_SHA");
}
};
function isObject(o) {
return o !== null && typeof o === "object";
}
var MissingTriggers;
(function (MissingTriggers) {
MissingTriggers[MissingTriggers["NONE"] = 0] = "NONE";
MissingTriggers[MissingTriggers["PUSH"] = 1] = "PUSH";
MissingTriggers[MissingTriggers["PULL_REQUEST"] = 2] = "PULL_REQUEST";
})(MissingTriggers || (MissingTriggers = {}));
function validateWorkflow(doc) {
var _a, _b, _c, _d;
const errors = [];
// .jobs[key].steps[].run
for (const job of Object.values(((_a = doc) === null || _a === void 0 ? void 0 : _a.jobs) || {})) {
for (const step of ((_b = job) === null || _b === void 0 ? void 0 : _b.steps) || []) {
if (((_c = step) === null || _c === void 0 ? void 0 : _c.run) === "git checkout HEAD^2") {
errors.push(`Git checkout HEAD^2 is no longer necessary. Please remove this line from your workflow.`);
}
}
}
let missing = MissingTriggers.NONE;
if (doc.on === undefined) {
missing = MissingTriggers.PUSH | MissingTriggers.PULL_REQUEST;
}
else if (typeof doc.on === "string") {
switch (doc.on) {
case "push":
missing = MissingTriggers.PULL_REQUEST;
break;
case "pull_request":
missing = MissingTriggers.PUSH;
break;
default:
missing = MissingTriggers.PUSH | MissingTriggers.PULL_REQUEST;
break;
}
}
else if (Array.isArray(doc.on)) {
if (!doc.on.includes("push")) {
missing = missing | MissingTriggers.PUSH;
}
if (!doc.on.includes("pull_request")) {
missing = missing | MissingTriggers.PULL_REQUEST;
}
}
else if (isObject(doc.on)) {
if (!Object.prototype.hasOwnProperty.call(doc.on, "pull_request")) {
missing = missing | MissingTriggers.PULL_REQUEST;
}
if (!Object.prototype.hasOwnProperty.call(doc.on, "push")) {
missing = missing | MissingTriggers.PUSH;
}
else {
const paths = (_d = doc.on.push) === null || _d === void 0 ? void 0 : _d.paths;
if (Array.isArray(paths) && paths.length > 0) {
errors.push("Please do not specify paths at on.pull.");
}
}
if (doc.on.pull_request !== undefined && doc.on.push !== undefined) {
const push = doc.on.push.branches || [];
const pull_request = doc.on.pull_request.branches || [];
const intersects = pull_request.filter((value) => !push.includes(value));
if (intersects.length > 0) {
errors.push("Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline.");
}
}
}
switch (missing) {
case MissingTriggers.PULL_REQUEST | MissingTriggers.PUSH:
errors.push("Please specify on.push and on.pull_request hooks.");
break;
case MissingTriggers.PULL_REQUEST:
errors.push("Please specify an on.pull_request hook so CodeQL is run against new pull requests.");
break;
case MissingTriggers.PUSH:
errors.push("Please specify an on.push hook so CodeQL can establish a baseline.");
break;
}
return errors;
}
exports.validateWorkflow = validateWorkflow;
/**
* Get the path of the currently executing workflow.
*/

2
lib/actions-util.js.map
View file

File diff suppressed because one or more lines are too long

95
lib/actions-util.test.js generated
View file

@ -68,4 +68,99 @@ ava_1.default("prepareEnvironment() when a local run", (t) => {
t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
t.deepEqual(process.env.CODEQL_ACTION_ANALYSIS_KEY, "LOCAL-RUN:UNKNOWN-JOB");
});
ava_1.default("validateWorkflow() when on is missing", (t) => {
const errors = actionsutil.validateWorkflow({});
t.deepEqual(errors, ["Please specify on.push and on.pull_request hooks."]);
});
ava_1.default("validateWorkflow() when on.push is missing", (t) => {
const errors = actionsutil.validateWorkflow({ on: {} });
console.log(errors);
t.deepEqual(errors, ["Please specify on.push and on.pull_request hooks."]);
});
ava_1.default("validateWorkflow() when on.push is an array missing pull_request", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["push"] });
t.deepEqual(errors, [
"Please specify an on.pull_request hook so CodeQL is run against new pull requests.",
]);
});
ava_1.default("validateWorkflow() when on.push is an array missing push", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["pull_request"] });
t.deepEqual(errors, [
"Please specify an on.push hook so CodeQL can establish a baseline.",
]);
});
ava_1.default("validateWorkflow() when on.push is valid", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
});
t.deepEqual(errors.length, 0);
});
ava_1.default("validateWorkflow() when on.push is a valid superset", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request", "schedule"],
});
t.deepEqual(errors.length, 0);
});
ava_1.default("validateWorkflow() when on.push should not have a path", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors, ["Please do not specify paths at on.pull."]);
});
ava_1.default("validateWorkflow() when on.push is a correct object", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
t.deepEqual(errors.length, 0);
});
ava_1.default("validateWorkflow() when on.push is correct with empty objects", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: undefined, pull_request: undefined },
});
console.log(errors);
t.deepEqual(errors.length, 0);
});
ava_1.default("validateWorkflow() when on.push is mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["feature"] },
},
});
t.deepEqual(errors, [
"Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline.",
]);
});
ava_1.default("validateWorkflow() when on.push is not mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors.length, 0);
});
ava_1.default("validateWorkflow() when on.push is mismatched for pull_request", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main", "feature"] },
},
});
t.deepEqual(errors, [
"Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline.",
]);
});
ava_1.default("validateWorkflow() when HEAD^2 is checked out", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
t.deepEqual(errors, [
"Git checkout HEAD^2 is no longer necessary. Please remove this line from your workflow.",
]);
});
//# sourceMappingURL=actions-util.test.js.map

2
lib/actions-util.test.js.map
View file

File diff suppressed because one or more lines are too long

123
src/actions-util.test.ts
View file

@ -81,3 +81,126 @@ test("prepareEnvironment() when a local run", (t) => {
t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
t.deepEqual(process.env.CODEQL_ACTION_ANALYSIS_KEY, "LOCAL-RUN:UNKNOWN-JOB");
});
test("validateWorkflow() when on is missing", (t) => {
const errors = actionsutil.validateWorkflow({});
t.deepEqual(errors, ["Please specify on.push and on.pull_request hooks."]);
});
test("validateWorkflow() when on.push is missing", (t) => {
const errors = actionsutil.validateWorkflow({ on: {} });
console.log(errors);
t.deepEqual(errors, ["Please specify on.push and on.pull_request hooks."]);
});
test("validateWorkflow() when on.push is an array missing pull_request", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["push"] });
t.deepEqual(errors, [
"Please specify an on.pull_request hook so CodeQL is run against new pull requests.",
]);
});
test("validateWorkflow() when on.push is an array missing push", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["pull_request"] });
t.deepEqual(errors, [
"Please specify an on.push hook so CodeQL can establish a baseline.",
]);
});
test("validateWorkflow() when on.push is valid", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
});
t.deepEqual(errors.length, 0);
});
test("validateWorkflow() when on.push is a valid superset", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request", "schedule"],
});
t.deepEqual(errors.length, 0);
});
test("validateWorkflow() when on.push should not have a path", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors, ["Please do not specify paths at on.pull."]);
});
test("validateWorkflow() when on.push is a correct object", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
t.deepEqual(errors.length, 0);
});
test("validateWorkflow() when on.push is correct with empty objects", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: undefined, pull_request: undefined },
});
console.log(errors);
t.deepEqual(errors.length, 0);
});
test("validateWorkflow() when on.push is mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["feature"] },
},
});
t.deepEqual(errors, [
"Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline.",
]);
});
test("validateWorkflow() when on.push is not mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors.length, 0);
});
test("validateWorkflow() when on.push is mismatched for pull_request", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main", "feature"] },
},
});
t.deepEqual(errors, [
"Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline.",
]);
});
test("validateWorkflow() when HEAD^2 is checked out", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
t.deepEqual(errors, [
"Git checkout HEAD^2 is no longer necessary. Please remove this line from your workflow.",
]);
});

116
src/actions-util.ts
View file

@ -100,6 +100,122 @@ export const getCommitOid = async function (): Promise<string> {
}
};
interface WorkflowJobStep {
run: any;
}
interface WorkflowJob {
steps?: WorkflowJobStep[];
}
interface WorkflowTrigger {
branches?: string[];
paths?: string[];
}
interface WorkflowTriggers {
push?: WorkflowTrigger;
pull_request?: WorkflowTrigger;
}
interface Workflow {
jobs?: { [key: string]: WorkflowJob };
on?: string | string[] | WorkflowTriggers;
}
function isObject(o): o is object {
return o !== null && typeof o === "object";
}
enum MissingTriggers {
NONE = 0,
PUSH = 1,
PULL_REQUEST = 2,
}
export function validateWorkflow(doc: Workflow): string[] {
const errors: string[] = [];
// .jobs[key].steps[].run
for (const job of Object.values(doc?.jobs || {})) {
for (const step of job?.steps || []) {
if (step?.run === "git checkout HEAD^2") {
errors.push(
`Git checkout HEAD^2 is no longer necessary. Please remove this line from your workflow.`
);
}
}
}
let missing = MissingTriggers.NONE;
if (doc.on === undefined) {
missing = MissingTriggers.PUSH | MissingTriggers.PULL_REQUEST;
} else if (typeof doc.on === "string") {
switch (doc.on) {
case "push":
missing = MissingTriggers.PULL_REQUEST;
break;
case "pull_request":
missing = MissingTriggers.PUSH;
break;
default:
missing = MissingTriggers.PUSH | MissingTriggers.PULL_REQUEST;
break;
}
} else if (Array.isArray(doc.on)) {
if (!doc.on.includes("push")) {
missing = missing | MissingTriggers.PUSH;
}
if (!doc.on.includes("pull_request")) {
missing = missing | MissingTriggers.PULL_REQUEST;
}
} else if (isObject(doc.on)) {
if (!Object.prototype.hasOwnProperty.call(doc.on, "pull_request")) {
missing = missing | MissingTriggers.PULL_REQUEST;
}
if (!Object.prototype.hasOwnProperty.call(doc.on, "push")) {
missing = missing | MissingTriggers.PUSH;
} else {
const paths = doc.on.push?.paths;
if (Array.isArray(paths) && paths.length > 0) {
errors.push("Please do not specify paths at on.pull.");
}
}
if (doc.on.pull_request !== undefined && doc.on.push !== undefined) {
const push = doc.on.push.branches || [];
const pull_request = doc.on.pull_request.branches || [];
const intersects = pull_request.filter((value) => !push.includes(value));
if (intersects.length > 0) {
errors.push(
"Please make sure that any branches in on.pull_request: are also in on.push: so that CodeQL can establish a baseline."
);
}
}
}
switch (missing) {
case MissingTriggers.PULL_REQUEST | MissingTriggers.PUSH:
errors.push("Please specify on.push and on.pull_request hooks.");
break;
case MissingTriggers.PULL_REQUEST:
errors.push(
"Please specify an on.pull_request hook so CodeQL is run against new pull requests."
);
break;
case MissingTriggers.PUSH:
errors.push(
"Please specify an on.push hook so CodeQL can establish a baseline."
);
break;
}
return errors;
}
/**
* Get the path of the currently executing workflow.
*/