robojerk/codeql-action

Warn when workflow analyzes the same language twice

Browse source
This commit is contained in:
Henry Mercer 2023-09-22 14:54:03 +01:00
parent 01b8760f90
commit d0c18ba23e
9 changed files with 576 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

231
lib/workflow.test.js generated
View file

@ -28,119 +28,114 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true });
const ava_1 = __importDefault(require("ava"));
const yaml = __importStar(require("js-yaml"));
const sinon = __importStar(require("sinon"));
const codeql_1 = require("./codeql");
const testing_utils_1 = require("./testing-utils");
const workflow_1 = require("./workflow");
function errorCodes(actual, expected) {
return [actual.map(({ code }) => code), expected.map(({ code }) => code)];
}
(0, testing_utils_1.setupTests)(ava_1.default);
(0, ava_1.default)("getWorkflowErrors() when on is empty", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: {} });
(0, ava_1.default)("getWorkflowErrors() when on is empty", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: {} }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["push"] });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing pull_request", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["push"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] });
(0, ava_1.default)("getWorkflowErrors() when on.push is an array missing push", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({ on: ["pull_request"] }, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.MissingPushHook]));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is valid", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is valid", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is a valid superset", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request", "schedule"],
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main"] },
},
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.pull_requests is a string and correct", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: "*" }, pull_request: { branches: "*" } },
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on.push is correct with empty objects", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on:
push:
pull_request:
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.push is not mismatched", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() for a range of malformed workflows", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: {
push: 1,
pull_request: 1,
},
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: 1,
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: [1],
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { 1: 1 },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: 1 },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: [1] },
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: { steps: 1 } },
}), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: 1,
jobs: { test: [undefined] },
}), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(1), []));
t.deepEqual(...errorCodes(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
(0, workflow_1.getWorkflowErrors)({
}, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(1, await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)({
on: {
push: {
branches: 1,
@ -149,25 +144,77 @@ function errorCodes(actual, expected) {
branches: 1,
},
},
}), []));
}, await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
(0, ava_1.default)("getWorkflowErrors() when on.pull_request for wildcard branches", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
},
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", (t) => {
(0, ava_1.default)("getWorkflowErrors() when HEAD^2 is checked out", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)({
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
}, await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
});
(0, ava_1.default)("getWorkflowErrors() for workflow with language name and its alias", async (t) => {
await testLanguageAliases(t, ["java", "kotlin"], "java", ["java-kotlin", "kotlin"], [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() for workflow with two aliases same language", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], "java", ["java-kotlin", "kotlin"], [
"CodeQL language 'java' is referenced by more than one entry in the 'language' matrix " +
"parameter for job 'test'. This may result in duplicate alerts. Please edit the 'language' " +
"matrix parameter to keep only one of the following: 'java-kotlin', 'kotlin'.",
]);
});
(0, ava_1.default)("getWorkflowErrors() does not produce error if codeql doesn't support language aliases", async (t) => {
await testLanguageAliases(t, ["java-kotlin", "kotlin"], "java", undefined, []);
});
async function testLanguageAliases(t, matrixLanguages, languageName, aliases, expectedErrorMessages) {
process.env.GITHUB_JOB = "test";
const codeql = await (0, codeql_1.getCodeQLForTesting)();
sinon.stub(codeql, "betterResolveLanguages").resolves({
aliases: aliases !== undefined
? Object.assign({}, ...aliases.map((alias) => ({ [alias]: languageName })))
: undefined,
extractors: {
java: [
{
extractor_root: "",
},
],
},
});
const errors = await (0, workflow_1.getWorkflowErrors)({
on: ["push", "pull_request"],
jobs: {
test: {
strategy: {
matrix: {
language: matrixLanguages,
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
],
},
},
}, codeql);
t.is(errors.length, expectedErrorMessages.length);
t.deepEqual(errors.map((e) => e.message), expectedErrorMessages);
}
(0, ava_1.default)("formatWorkflowErrors() when there is one error", (t) => {
const message = (0, workflow_1.formatWorkflowErrors)([workflow_1.WorkflowErrors.CheckoutWrongHead]);
t.true(message.startsWith("1 issue was detected with this workflow:"));
@ -213,19 +260,19 @@ function errorCodes(actual, expected) {
t.true((0, workflow_1.patternIsSuperset)("/robin/*/release/*", "/robin/moose/release/goose"));
t.false((0, workflow_1.patternIsSuperset)("/robin/moose/release/goose", "/robin/*/release/*"));
});
(0, ava_1.default)("getWorkflowErrors() when branches contain dots", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when branches contain dots", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
on:
push:
branches: [4.1, master]
pull_request:
# The branches below must be a subset of the branches above
branches: [4.1, master]
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on.push has a trailing comma", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -233,12 +280,12 @@ function errorCodes(actual, expected) {
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", (t) => {
(0, ava_1.default)("getWorkflowErrors() should only report the current job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -257,12 +304,12 @@ function errorCodes(actual, expected) {
test3:
steps: []
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.CheckoutWrongHead]));
});
(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", (t) => {
(0, ava_1.default)("getWorkflowErrors() should not report a different job's CheckoutWrongHead", async (t) => {
process.env.GITHUB_JOB = "test3";
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
@ -281,41 +328,41 @@ function errorCodes(actual, expected) {
test3:
steps: []
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on is missing", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() when on is missing", async (t) => {
const errors = await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
`));
`), await (0, codeql_1.getCodeQLForTesting)());
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() with a different on setup", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() with a different on setup", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: "workflow_dispatch"
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: [workflow_dispatch]
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
workflow_dispatch: {}
`)), []));
`), await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", (t) => {
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
(0, ava_1.default)("getWorkflowErrors() should not report an error if PRs are totally unconfigured", async (t) => {
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on:
push:
branches: [master]
`)), []));
t.deepEqual(...errorCodes((0, workflow_1.getWorkflowErrors)(yaml.load(`
`), await (0, codeql_1.getCodeQLForTesting)()), []));
t.deepEqual(...errorCodes(await (0, workflow_1.getWorkflowErrors)(yaml.load(`
name: "CodeQL"
on: ["push"]
`)), []));
`), await (0, codeql_1.getCodeQLForTesting)()), []));
});
(0, ava_1.default)("getCategoryInputOrThrow returns category for simple workflow with category", (t) => {
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";