tenseleyflow/shithub / 53d5a72

Browse files

actions/workflow: drop unused Tainted field from Value (S41a-L5)

Pre-L5 workflow.Value had a Tainted bool field plus a Tainted()
constructor — both unused. The parser only ever called V() (which
zeroed Tainted) so the field was always false. Two different
structs in two different packages both named Value claimed to own
the taint contract; the architecture doc has always pointed at
expr.Value.Tainted as load-bearing.

Single source of truth now: workflow.Value carries Raw only;
expr.Value carries the taint flag. Constructor V() preserved with
trimmed signature (no Tainted to zero).
Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
53d5a7285958c94cce92954a95ee0a468089f188
Parents
42085bf
Tree
6acb435

1 changed file

StatusFile+-
M internal/actions/workflow/types.go 18 17
internal/actions/workflow/types.gomodified
@@ -201,27 +201,28 @@ type Step struct {
201201
 	ContinueOnError bool
202202
 }
203203
204
-// Value is a parsed value that may have come from a literal string,
205
-// a `${{ … }}` expression, or a mix. Tainted=true when the value
206
-// transitively depends on an untrusted source (event payload fields
207
-// the workflow author doesn't control). The runner refuses to
208
-// interpolate Tainted values into shell strings.
204
+// Value is a parsed value carried in the workflow tree (env entries,
205
+// `with:` inputs, concurrency-group expressions). At parse time we
206
+// only know the raw source string — the taint determination happens
207
+// at expression-evaluation time inside `internal/actions/expr` when
208
+// the runner resolves a reference against the trigger context. The
209
+// runner-side `expr.Value` carries the load-bearing `Tainted bool`.
209210
 //
210
-// Raw is the original source string — useful for diagnostics and for
211
-// the runner's input-binding logic.
211
+// Pre-L5 this struct also had a `Tainted bool` field plus a `Tainted()`
212
+// constructor — both unused (the parser only ever called `V()`). The
213
+// duplication confused readers because two different `Value` types
214
+// claimed to own the taint contract; the architecture doc has always
215
+// described `expr.Value.Tainted` as load-bearing. Single source of
216
+// truth now: this struct just carries `Raw`; taint lives in
217
+// `expr.Value.Tainted` exclusively.
212218
 type Value struct {
213219
 	Raw string
214
-	Tainted bool
215220
 }
216221
217
-// V is a tiny constructor for trusted (literal) values, used by the
218
-// parser when it knows the source is the workflow file itself.
219
-func V(raw string) Value { return Value{Raw: raw, Tainted: false} }
220
-
221
-// Tainted is the constructor for untrusted-source values. The
222
-// expression evaluator (internal/actions/expr) calls this when it
223
-// resolves a reference into the `shithub.event.*` namespace.
224
-func Tainted(raw string) Value { return Value{Raw: raw, Tainted: true} }
222
+// V wraps a raw source string into a parser-side Value. The parser
223
+// uses this when it carries a literal or expression body verbatim
224
+// from the YAML — taint resolution is a runtime concern.
225
+func V(raw string) Value { return Value{Raw: raw} }
225226
226227
 // Diagnostic is a parser finding. Severity controls whether parsing
227228
 // continues; Path is dot-notated for UI display ("jobs.test.steps[2].run").