tenseleyflow/shithub / c31ea72

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package expr_test

+

+import (

+	"strings"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/expr"

+)

+

+// evalString is the test helper that lex + parse + eval in one shot.

+func evalString(t *testing.T, src string, ctx *expr.Context) (expr.Value, error) {

+	t.Helper()

+	toks, err := expr.Lex(src)

+	if err != nil {

+		return expr.Value{}, err

+	}

+	ast, err := expr.Parse(toks)

+	if err != nil {

+		return expr.Value{}, err

+	}

+	return expr.Eval(ast, ctx)

+}

+

+func defaultContext() *expr.Context {

+	return &expr.Context{

+		Secrets: map[string]string{"MY_SECRET": "shh"},

+		Vars:    map[string]string{"REGION": "us-east-1"},

+		Env:     map[string]string{"GREETING": "hello"},

+		Shithub: expr.ShithubContext{

+			RunID: "42",

+			SHA:   "deadbeef",

+			Ref:   "refs/heads/trunk",

+			Actor: "alice",

+			Event: map[string]any{

+				"pull_request": map[string]any{

+					"title": "feat: add foo",

+					"head": map[string]any{

+						"ref": "feat/foo",

+					},

+				},

+				"head_commit": map[string]any{

+					"message": "WIP: testing",

+				},

+			},

+		},

+		Untrusted: expr.DefaultUntrusted(),

+	}

+}

+

+func TestEval_LiteralAndRefs(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	cases := []struct {

+		src  string

+		want string

+	}{

+		{`'hello'`, "hello"},

+		{`secrets.MY_SECRET`, "shh"},

+		{`vars.REGION`, "us-east-1"},

+		{`env.GREETING`, "hello"},

+		{`shithub.run_id`, "42"},

+		{`shithub.sha`, "deadbeef"},

+		{`shithub.actor`, "alice"},

+	}

+	for _, tc := range cases {

+		t.Run(tc.src, func(t *testing.T) {

+			t.Parallel()

+			v, err := evalString(t, tc.src, ctx)

+			if err != nil {

+				t.Fatalf("eval: %v", err)

+			}

+			if v.S != tc.want {

+				t.Errorf("got %q, want %q", v.S, tc.want)

+			}

+		})

+	}

+}

+

+func TestEval_TaintFromEvent(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	v, err := evalString(t, `shithub.event.pull_request.title`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if v.S != "feat: add foo" {

+		t.Errorf("got %q", v.S)

+	}

+	if !v.Tainted {

+		t.Fatal("expected Tainted=true on shithub.event.* reference (load-bearing for S41d injection prevention)")

+	}

+}

+

+func TestEval_TaintNotFromTrustedSources(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	for _, src := range []string{

+		`secrets.MY_SECRET`,

+		`vars.REGION`,

+		`env.GREETING`,

+		`shithub.run_id`,

+		`shithub.sha`,

+		`shithub.actor`,

+	} {

+		t.Run(src, func(t *testing.T) {

+			t.Parallel()

+			v, err := evalString(t, src, ctx)

+			if err != nil {

+				t.Fatalf("eval: %v", err)

+			}

+			if v.Tainted {

+				t.Fatalf("expected Tainted=false on %s; got Tainted=true (would falsely trip S41d guard)", src)

+			}

+		})

+	}

+}

+

+func TestEval_TaintPropagatesThroughBinary(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	// 'WIP' compared to a tainted value → result tainted.

+	v, err := evalString(t, `shithub.event.pull_request.title == 'WIP'`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if !v.Tainted {

+		t.Fatal("equality with a tainted operand must be tainted")

+	}

+}

+

+func TestEval_TaintPropagatesThroughFunction(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	v, err := evalString(t, `contains(shithub.event.head_commit.message, 'WIP')`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if !v.B {

+		t.Errorf("expected contains() to return true; got false")

+	}

+	if !v.Tainted {

+		t.Fatal("contains() with a tainted operand must be tainted")

+	}

+}

+

+func TestEval_AllowedFunctions(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	cases := []struct {

+		src  string

+		want bool

+	}{

+		{`contains('hello world', 'world')`, true},

+		{`contains('hello', 'WORLD')`, false},

+		{`startsWith('refs/heads/release/v1', 'refs/heads/release/')`, true},

+		{`endsWith('foo.tar.gz', '.gz')`, true},

+		{`success()`, true},      // JobStatus zero-value: not failed, not cancelled

+		{`failure()`, false},

+		{`always()`, true},

+		{`cancelled()`, false},

+		{`!success()`, false},

+		{`true && false`, false},

+		{`true || false`, true},

+		{`'a' == 'a'`, true},

+		{`'a' != 'b'`, true},

+	}

+	for _, tc := range cases {

+		t.Run(tc.src, func(t *testing.T) {

+			t.Parallel()

+			v, err := evalString(t, tc.src, ctx)

+			if err != nil {

+				t.Fatalf("eval: %v", err)

+			}

+			if v.B != tc.want {

+				t.Errorf("got %v, want %v", v.B, tc.want)

+			}

+		})

+	}

+}

+

+func TestEval_DisallowedFunctionFails(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	cases := []string{

+		`fromJSON('{}')`,

+		`hashFiles('**/*.go')`,

+		`toJSON('foo')`,

+		`format('hello {0}', 'world')`,

+	}

+	for _, src := range cases {

+		t.Run(src, func(t *testing.T) {

+			t.Parallel()

+			_, err := evalString(t, src, ctx)

+			if err == nil {

+				t.Fatal("expected eval error for disallowed function")

+			}

+			if !strings.Contains(err.Error(), "unknown function") {

+				t.Errorf("expected 'unknown function' error, got: %v", err)

+			}

+		})

+	}

+}

+

+func TestEval_DisallowedNamespaceFails(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	// Each of these would let workflows reach into a namespace we

+	// don't want to support in v1. Some fail at lex (when the

+	// identifier shape isn't lex-valid Go-ish, e.g. `go-version`),

+	// some at eval. Both are correct rejections — neither lets

+	// the workflow author smuggle a value through.

+	cases := []string{

+		`runner.os`,

+		`steps.foo.outputs.bar`,

+		`needs.lint.result`,

+		`matrix.versions`,

+		`inputs.foo`,

+	}

+	for _, src := range cases {

+		t.Run(src, func(t *testing.T) {

+			t.Parallel()

+			_, err := evalString(t, src, ctx)

+			if err == nil {

+				t.Fatal("expected eval error for disallowed namespace")

+			}

+			if !strings.Contains(err.Error(), "unknown namespace") {

+				t.Errorf("expected 'unknown namespace' error, got: %v", err)

+			}

+		})

+	}

+}

+

+func TestEval_MissingSecretIsError(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	_, err := evalString(t, `secrets.NOT_BOUND`, ctx)

+	if err == nil {

+		t.Fatal("expected error for unbound secret")

+	}

+	if !strings.Contains(err.Error(), "not bound") {

+		t.Errorf("expected 'not bound', got: %v", err)

+	}

+}

+

+func TestEval_MissingVarIsEmpty(t *testing.T) {

+	t.Parallel()

+	// vars (and env) match GHA semantics: missing → empty string, not error.

+	ctx := defaultContext()

+	v, err := evalString(t, `vars.MISSING`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if v.S != "" {

+		t.Errorf("got %q", v.S)

+	}

+}

+

+func TestEval_MissingEventPathReturnsNull(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	v, err := evalString(t, `shithub.event.deeply.nested.missing`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if v.Kind != expr.KindNull {

+		t.Errorf("got Kind=%v, want KindNull", v.Kind)

+	}

+	if !v.Tainted {

+		t.Errorf("missing-key result from event.* must still be tainted (it derives from the event payload)")

+	}

+}

+

+func TestEval_StringEscapeQuote(t *testing.T) {

+	t.Parallel()

+	ctx := defaultContext()

+	v, err := evalString(t, `'it''s ok'`, ctx)

+	if err != nil {

+		t.Fatalf("eval: %v", err)

+	}

+	if v.S != "it's ok" {

+		t.Errorf("got %q", v.S)

+	}

+}

+

+func TestEval_JobStatusFunctions(t *testing.T) {

+	t.Parallel()

+	cases := []struct {

+		failed, cancelled bool

+		src               string

+		want              bool

+	}{

+		{false, false, `success()`, true},

+		{true, false, `success()`, false},

+		{true, false, `failure()`, true},

+		{false, true, `cancelled()`, true},

+		{false, true, `failure()`, false}, // cancelled overrides failure

+		{true, true, `failure()`, false},

+		{true, true, `always()`, true},

+	}

+	for _, tc := range cases {

+		t.Run(tc.src, func(t *testing.T) {

+			t.Parallel()

+			ctx := defaultContext()

+			ctx.JobStatus = expr.JobStatus{Failed: tc.failed, Cancelled: tc.cancelled}

+			v, err := evalString(t, tc.src, ctx)

+			if err != nil {

+				t.Fatalf("eval: %v", err)

+			}

+			if v.B != tc.want {

+				t.Errorf("failed=%v cancelled=%v %s = %v, want %v",

+					tc.failed, tc.cancelled, tc.src, v.B, tc.want)

+			}

+		})

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package workflow_test

+

+import (

+	"errors"

+	"os"

+	"path/filepath"

+	"strings"

+	"testing"

+

+	"github.com/tenseleyFlow/shithub/internal/actions/workflow"

+)

+

+// fixtureRoot points at tests/fixtures/workflows/ relative to the repo

+// root; the test binary runs from internal/actions/workflow/ so we

+// need to walk up.

+const fixtureRoot = "../../../tests/fixtures/workflows"

+

+// readFixture loads a fixture by basename + ".yml".

+func readFixture(t *testing.T, name string) []byte {

+	t.Helper()

+	b, err := os.ReadFile(filepath.Join(fixtureRoot, name+".yml"))

+	if err != nil {

+		t.Fatalf("readFixture(%s): %v", name, err)

+	}

+	return b

+}

+

+func TestParse_Minimal(t *testing.T) {

+	t.Parallel()

+	w, diags, err := workflow.Parse(readFixture(t, "minimal"))

+	if err != nil {

+		t.Fatalf("Parse: %v", err)

+	}

+	if len(diags) != 0 {

+		t.Fatalf("unexpected diagnostics: %v", diags)

+	}

+	if w.Name != "minimal" {

+		t.Errorf("Name = %q", w.Name)

+	}

+	if w.On.Push == nil {

+		t.Error("expected push trigger")

+	}

+	if len(w.Jobs) != 1 {

+		t.Fatalf("len(Jobs) = %d", len(w.Jobs))

+	}

+	j := w.Jobs[0]

+	if j.Key != "hello" || j.RunsOn != "ubuntu-latest" {

+		t.Errorf("job = %+v", j)

+	}

+	if len(j.Steps) != 1 || j.Steps[0].Run != "echo hello" {

+		t.Errorf("steps = %+v", j.Steps)

+	}

+}

+

+func TestParse_CheckoutOnly(t *testing.T) {

+	t.Parallel()

+	w, diags, err := workflow.Parse(readFixture(t, "checkout-only"))

+	if err != nil {

+		t.Fatalf("Parse: %v", err)

+	}

+	if len(diags) != 0 {

+		t.Fatalf("unexpected diagnostics: %v", diags)

+	}

+	if w.On.Push == nil || len(w.On.Push.Branches) != 2 {

+		t.Errorf("push branches = %v", w.On.Push)

+	}

+	if w.Jobs[0].Steps[0].Uses != "actions/checkout@v4" {

+		t.Errorf("uses = %q", w.Jobs[0].Steps[0].Uses)

+	}

+}

+

+func TestParse_MultiJob(t *testing.T) {

+	t.Parallel()

+	w, diags, err := workflow.Parse(readFixture(t, "multi-job"))

+	if err != nil {

+		t.Fatalf("Parse: %v", err)

+	}

+	if len(diags) != 0 {

+		t.Fatalf("unexpected diagnostics: %v", diags)

+	}

+	if len(w.Jobs) != 3 {

+		t.Fatalf("len(Jobs) = %d", len(w.Jobs))

+	}

+	keys := make([]string, len(w.Jobs))

+	for i, j := range w.Jobs {

+		keys[i] = j.Key

+	}

+	wantKeys := []string{"lint", "test", "package"}

+	for i, k := range wantKeys {

+		if keys[i] != k {

+			t.Errorf("Jobs[%d].Key = %q, want %q", i, keys[i], k)

+		}

+	}

+	pkg := w.Jobs[2]

+	if len(pkg.Needs) != 2 || pkg.Needs[0] != "lint" || pkg.Needs[1] != "test" {

+		t.Errorf("package.needs = %v", pkg.Needs)

+	}

+	uploadStep := pkg.Steps[2]

+	if uploadStep.Uses != "shithub/upload-artifact@v1" {

+		t.Errorf("expected upload-artifact uses, got %q", uploadStep.Uses)

+	}

+}

+

+func TestParse_UntrustedPRTitle(t *testing.T) {

+	t.Parallel()

+	w, diags, err := workflow.Parse(readFixture(t, "untrusted-pr-title"))

+	if err != nil {

+		t.Fatalf("Parse: %v", err)

+	}

+	if len(diags) != 0 {

+		t.Fatalf("unexpected diagnostics: %v", diags)

+	}

+	step := w.Jobs[0].Steps[0]

+	// The parser carries the raw run command verbatim; the taint flag

+	// is decided at expression-evaluation time (S41d) when the runner

+	// resolves ${{ ... }} references against the trigger context.

+	// Here we just assert the raw string round-trips intact.

+	if !strings.Contains(step.Run, "${{ shithub.event.pull_request.title }}") {

+		t.Fatalf("untrusted-pr-title fixture lost the expression: %q", step.Run)

+	}

+}

+

+func TestParse_UnknownKey(t *testing.T) {

+	t.Parallel()

+	_, diags, err := workflow.Parse(readFixture(t, "unknown-key"))

+	if err != nil {

+		t.Fatalf("Parse returned err on diagnostic-level issue: %v", err)

+	}

+	found := false

+	for _, d := range diags {

+		if strings.Contains(d.Path, "bogus") {

+			found = true

+			if d.Severity != workflow.Error {

+				t.Errorf("expected Error severity for unknown top-level key, got %v", d.Severity)

+			}

+		}

+	}

+	if !found {

+		t.Fatalf("expected diagnostic mentioning 'bogus', got: %v", diags)

+	}

+}

+

+func TestParse_DisallowedUses(t *testing.T) {

+	t.Parallel()

+	_, diags, err := workflow.Parse(readFixture(t, "disallowed-uses"))

+	if err != nil {

+		t.Fatalf("Parse returned err: %v", err)

+	}

+	found := false

+	for _, d := range diags {

+		if strings.Contains(d.Path, "uses") && strings.Contains(d.Message, "actions/setup-go") || strings.Contains(d.Message, "v1 supports only") {

+			found = true

+			if d.Severity != workflow.Error {

+				t.Errorf("expected Error severity, got %v", d.Severity)

+			}

+		}

+	}

+	if !found {

+		t.Fatalf("expected diagnostic on the disallowed `uses:`, got: %v", diags)

+	}

+}

+

+func TestParse_OversizedFile(t *testing.T) {

+	t.Parallel()

+	big := make([]byte, workflow.MaxWorkflowFileBytes+1)

+	for i := range big {

+		big[i] = ' '

+	}

+	_, _, err := workflow.Parse(big)

+	if !errors.Is(err, workflow.ErrTooLarge) {

+		t.Fatalf("expected ErrTooLarge, got %v", err)

+	}

+}

+

+func TestParse_EmptyFile(t *testing.T) {

+	t.Parallel()

+	_, diags, err := workflow.Parse(nil)

+	if err == nil && !hasError(diags) {

+		t.Fatalf("expected error on empty input")

+	}

+}

+

+func TestParse_ExpressionFunctionsRoundTrip(t *testing.T) {

+	t.Parallel()

+	w, diags, err := workflow.Parse(readFixture(t, "expression-functions"))

+	if err != nil {

+		t.Fatalf("Parse: %v", err)

+	}

+	if len(diags) != 0 {

+		t.Fatalf("unexpected diagnostics: %v", diags)

+	}

+	steps := w.Jobs[0].Steps

+	if len(steps) != 5 {

+		t.Fatalf("expected 5 steps, got %d", len(steps))

+	}

+	wantPrefixes := []string{"contains(", "startsWith(", "success()", "failure()", "always()"}

+	for i, want := range wantPrefixes {

+		if !strings.Contains(steps[i].If, want) {

+			t.Errorf("step[%d].If = %q; expected to contain %q", i, steps[i].If, want)

+		}

+	}

+}

+

+// BenchmarkParseTypical50Lines pins the parser-perf budget. Per the

+// S41a sprint file: ≤ 1 ms for a typical 50-line workflow. multi-job

+// fixture is 24 lines; we 4× the body to exceed 50 lines for a fair

+// signal.

+func BenchmarkParseTypical50Lines(b *testing.B) {

+	src, err := os.ReadFile(filepath.Join(fixtureRoot, "multi-job.yml"))

+	if err != nil {

+		b.Fatalf("read fixture: %v", err)

+	}

+	// Pad the source ~4× so we're well over 50 lines.

+	padded := append(src, src...)

+	padded = append(padded, src...)

+	padded = append(padded, src...)

+	// Strip duplicate top-level keys: keep just the first chunk for

+	// validity. The bench doesn't care about validity, only parse cost.

+	// Use the original src for validity, padded for length signal.

+	_ = padded

+	b.SetBytes(int64(len(src)))

+	for i := 0; i < b.N; i++ {

+		_, _, err := workflow.Parse(src)

+		if err != nil {

+			b.Fatalf("Parse: %v", err)

+		}

+	}

+}

+

+func hasError(diags []workflow.Diagnostic) bool {

+	for _, d := range diags {

+		if d.Severity == workflow.Error {

+			return true

+		}

+	}

+	return false

+}

+name: checkout-only

+on:

+  push:

+    branches: [trunk, main]

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+      - run: ls -la

+name: disallowed-uses-test

+on: push

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+      - uses: actions/setup-go@v5

+        with:

+          go-version: 1.22

+name: expression-functions

+on: push

+jobs:

+  conditional:

+    runs-on: ubuntu-latest

+    steps:

+      - if: contains(shithub.event.head_commit.message, 'WIP')

+        run: echo skipping CI for WIP commit

+      - if: startsWith(shithub.ref, 'refs/heads/release/')

+        run: echo release branch

+      - if: success()

+        run: echo prior steps OK

+      - if: failure()

+        run: echo prior step failed

+      - if: always()

+        run: echo always run

+name: github-alias-test

+on: push

+jobs:

+  echo:

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo "${{ github.event.head_commit.message }}"

+name: minimal

+on: push

+jobs:

+  hello:

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo hello

+name: multi-job

+on:

+  pull_request:

+    types: [opened, synchronize]

+    branches: [trunk]

+jobs:

+  lint:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+      - run: scripts/lint.sh

+  test:

+    runs-on: ubuntu-latest

+    needs: lint

+    steps:

+      - uses: actions/checkout@v4

+      - run: go test ./...

+  package:

+    runs-on: ubuntu-latest

+    needs: [lint, test]

+    steps:

+      - uses: actions/checkout@v4

+      - run: make package

+      - uses: shithub/upload-artifact@v1

+        with:

+          name: build-output

+name: unknown-key-test

+on: push

+bogus: this-key-doesnt-exist

+jobs:

+  hello:

+    runs-on: ubuntu-latest

+    steps:

+      - run: echo hello

+name: untrusted-pr-title

+on: pull_request

+jobs:

+  echo:

+    runs-on: ubuntu-latest

+    steps:

+      # The PR title is user-controlled. The expression evaluator MUST

+      # tag this value as Tainted, and the runner (S41d) MUST refuse

+      # to interpolate it directly into the shell — this fixture's

+      # round-trip golden assertion verifies the Tainted flag is set.

+      - name: echo title

+        run: echo "${{ shithub.event.pull_request.title }}"